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Editor's Note 


Welcome to the New 
Windows IT Pro 
Digital Edition! 


A 


W e’re excited to bring you this 
new and enhanced digital edi¬ 
tion of Windows IT Pro. The 
new digital issue replaces the print mag¬ 
azine but still provides the same great 
content you’ve come to expect, enhanced 
with audio and video, social media feeds, 
and other interactive features. 

We look forward to continuing to pro¬ 
vide in-depth technical content that you 
can now view on your PC, tablet, or 
smartphone device. You can read the digital edition online or offline, 
and you can print pages on demand. 

We created a landing page with additional information about the 
digital issues. Please take a look at the new digital edition and give me 
your feedback . We’re eager to make the magazine as useful as ever. 

Thanks for reading and for being part of the Windows IT Pro com¬ 
munity! ■ 



Amy Eisenberg 

is editor in chief for Windows IT Pro and SQL Server Pro and has worked in publishing for 20 years. 
For more than 10 years, Amy has been responsible for developing Windows Server content for 
magazines, print and email newsletters, and technical seminars that help IT pros get the most 
out of their Windows systems. 
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IT Pro Perspectives 



NSTIC 

Identity Initiative 

Moves Forward 

Government funding and wide private-sector participation 
show promise for this cloud identity vision 


I n my October 2011 Enterprise Identity column (“ NSTIC Lays Out 
a Compelling Identity Ecosystem Vision ”), I talked about the Na¬ 
tional Strategy for Trusted Identities in Cyberspace (wisely abbre¬ 
viated to NSTIC, pronounced “n-stick”). At the time I thought NSTIC’s 
concept of a government initiative to spur development of a widely 
adopted, next-generation secure identity environment showed a lot 
of promise. But it had some significant obstacles to overcome. Today, 
I’m pleased to say NSTIC is healthy and moving forward, to all our 
benefit. And the initiative is something you should know about. 

The NSTIC vision is an answer to the security mess we all deal with 
in this current phase of the Internet’s life. We all have too many pass¬ 
words and they’re far too easy to crack, security is inconvenient and 
therefore avoided, high-security transactions are just not safe enough, 
users are trained to click “yes” to everything they see or, conversely, 
are afraid to click “yes” to anything.. .it’s a long list of failings. 

NSTIC describes “a vision of the future—an Identity Ecosystem— 
where individuals, businesses, and other organizations enjoy greater 
trust and security as they conduct sensitive transactions online. The 
Identity Ecosystem is a user-centric online environment, a set of tech¬ 
nologies, policies, and agreed upon standards that securely support 
transactions ranging from anonymous to fully authenticated and from 
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low to high value. Key attributes of the Identity Ecosystem include pri¬ 
vacy, convenience, efficiency, ease-of-use, security, confidence, inno¬ 
vation, and choice.” NSTIC has a list of Identity Ecosystem scenarios 
that demonstrate how much simpler and more secure our hybrid real/ 
cyber world of the future would be with such a framework. 

Let me be clear: NSTIC’s idea is that of an identity ecosystem, not 
a draconian government identity system. The government isn’t de¬ 
veloping these standards and the ecosystem framework; instead, it’s 
providing fertile ground for the big players in Internet identity (such 
as Google, PayPal, IBM Global Services, Microsoft, VeriSign, Adobe, 
CA, Ping Identity, and Symantec) to develop the system themselves 
by providing federal funding to meet, determine standards, and begin 
pilot programs. As incentive to prove out these emerging standards, 
NSTIC is also offering government organizations as early adopters. 

As an IT pro, why should you care about what sounds like a mainly 
consumer-oriented initiative? First, if you work for a business to con¬ 
sumer (B2C) company, you already know that the lines between en¬ 
terprise and consumer identity are increasingly becoming blurred as 
your external services are adapting to accept credentials from identity 
providers such as Google, Twitter, and Facebook. If your company 
focuses on business to business (B2B), meeting identity ecosystem 
criteria might make it far easier to set up efficient and secure business 
operations with other trusted companies. 

There was some doubt whether a government project toward such 
a utopian goal would survive a budget deficit and a partisan Congress. 
But on November 18,2011, President Obama approved $16.5 million for 
the NSTIC initiative to continue (though far less than the $24.5 million 
requested). Since then, the National Institute of Standards and Tech¬ 
nology (NIST) released a new $10 million Federal Funding Opportunity 
(FFO) for pilot programs to support NSTIC. The goal of the grant pro¬ 
gram is to test or demonstrate new solutions, models, or frameworks 
that don’t exist in the marketplace today and that will advance the 
NSTIC vision. 
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On February 7, 2012, NIST published the report “ Recommendations 
for Establishing an Identity Ecosystem Governance Structure” (aka the 
Steering Committee). How you actually govern (in the private sector 
sense) a loosely federated group of cooperating companies is critical 
to the success of the entire endeavor, and more than 57 stakeholders 
from private industry, consumer advocacy groups, privacy protec¬ 
tion organizations, state government, and members of the financial 
and health care communities provided formal input to the report. In 
mid-March, NSTIC held a governance workshop and announced $2.5 
million in funding for the building and management of the Steering 
Committee. 

NSTIC is something that needs to happen. To quote the NSTIC 
strategy document, “A secure cyberspace is critical to our prosperity.” 
It has broad participation in its evolution—remember, the govern¬ 
ment is providing coordination and incentives, but it’s handing over 
control to the private sector—so that the final structure that emerges 
will be broadly usable. And you can still participate; hop over to the 
NSTIC website and have a look around to better understand where 
the initiative is going. You can also sign up for occasional NIST emails 
to keep up with NSTIC’s progress. ■ 

InstantDoc ID 142609 
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Letters 


letters@windowsitpro.com 


Send Your 
Comments 

Windows IT Pro welcomes 
feedback about the 
magazine. Send comments, 
and include your full name, 
email address, and daytime 
phone number. We edit all 
letters and replies for style, 
length, and clarity. 

Comments 



Long Live Windows XP 

I read Jeff James’s article Long Live Windows XP. If Microsoft is having 
problems moving people from XP to Windows 7, this will be nothing 
like the problems the company will have trying to get people to move to 
Windows 8. The experience is like forgetting everything you know and 
starting over again (but there is no Start). 

My change from XP to Windows 7 was a breeze, mainly because 
Windows Vista did the hard work, making it easy for those of us 
who held off until Windows 7. But users moving to Windows 8 will 
find it to be a radical change. I understand the thinking behind the 
unification of the OS across all devices. But at the end of the day, 
Windows 8 is intended for tablets and phones, not for 24" desk¬ 
top screens. What happens to my soothing desktop pictures? Will 
I be stuck with the green card-table look just because it’s easier on 
everyone’s tablet resources? 

Microsoft is going to have big problems selling Windows 8 to cor¬ 
porate America. What companies using XP will be rushing to Win¬ 
dows 8, especially when they know that this change will require more 
training than moving to Windows 7? I’ll get Windows 8 and learn 
to use it, but only because it’s my job. Why does Windows Server 8 
have to have this interface? I’m too old for this. 

By the way, great magazine! I love it! 

—Chris Doolan 
InstantDoc ID 142646 
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Digital Transition in Song 

In response to Windows IT Pro’s transition from print to digital, we heard from 
many readers expressing both support and sadness. Easily the most entertaining 
note of nostalgia for our print edition was Dimitrios Kalemis’s song, which you see 
below. Not to be outdone, we rose to the challenge to provide a song in response. 
Enjoy the words and the audio! 

Just the Way You Are 

Don’t go changing, trying to please me 
You never let me down before 
Don’t imagine you’re too familiar 
And I don’t read you anymore 

I would not leave you in times of trouble 
We never could have come this far, no WITPro 
I took the good times, I’ll take the bad times 
I’ll read you just the way you are! 

Don’t go trying some new fashion 
Don’t change your format, please don’t dare, WITPro 
You always have my unspoken passion 
Although I might not seem to care 

I don’t want clever digitization 
And I’ll never use an iPad, no WITPro 
I just want something to hold on to 
I want you just the way you are! 

I need to know that you will always be 
The same old print mag that I knew 
What will it take till you believe in me 
The way that I believe in you 

I said I read you and that’s forever 
And this I promise from my heart, oh WITPro 
I could not read you any better 
I want you just the way you are! 

I don’t want clever digitization 
And I’ll never use an iPad, no WITPro 
I just want something to hold on to 
I want you just the way you are! 

—Dimitrios Kalemis 




Audio 


Click to hear Dimitrios 
Kalemis sing "Just the 
Way You Are" 
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Audio 



Click to hear "Dimitri 
Come Back" (vocals by 
Michele Crockett, VP 
of Content Services, 
Penton Marketing 
Services; piano by Bob 
Montgomery) 


Dimitri Come Back 

Spending all our nights 

All our time, editing the digital editions 

Doing anything just to get print off of our minds 

And when the morning comes 

We’re hot-linking interactive features 

Trying to avoid digital is just a waste of time 

Dimitri come back! 

Any kind of IT pro can see 

There is something in everything about WITPro 

Dimitri come back! 

You can blame it on technology 

Print is done and we just can’t live without you 


All day long, inserting audio, video, and social media feeds 

Optimizing for PCs, tablets, and smartphones 

And as the sun goes down 

We get that digital feeling again 

How we wish to God that Dimitri were here 


Dimitri come back! 

Any kind of IT pro can see 

There is something in everything about WITPro 

Dimitri come back! 

You can blame it on technology 

Print is done and we just can’t live without you 

Now that we’ve put the digital edition together 
Dimitri, give us the chance to make you see 
We know there’s room in your heart for digital 
Room enough for WITPro 
Click some links, just wait and see 

Dimitri come back! 

Any kind of IT pro can see 

There is something in everything about WITPro 

Dimitri come back! 

Listen Dimitri 

You can blame it on technology 

Print is done and we just can’t live without you 

—Windows IT Pro Editors 

lyrics by Lavon Peters, managing editor 
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Windows 8 and 

Windows Server 8 
in Beta 

A s predicted two months ago, Microsoft has indeed signed off 
on its beta versions of Windows 8 and Windows Server 8 but 
has chosen to label the former as a so-called Consumer Pre¬ 
view. That name is incorrect, however—this prerelease milestone of 
Microsoft’s next client OS is really aimed at technical users, which 
means you, the IT pro. You’re going to want to get it, and test it, as 
soon as possible. And that’s perhaps even more true of the Server 8 
Beta, which appears to be more mature. 

Downloading and Installing Windows 8 Consumer 
Preview and Server 8 Beta 

With the Consumer Preview, Microsoft is offering up Windows 8 
via a variety of download and installation methods. End users hop¬ 
ing to install Windows 8 over an existing Windows 7 installation— 
as a clean installation, in-place upgrade, or migration—might want 
to check out the new web-based installer . Microsoft expects that 
many consumers who would normally purchase a boxed copy of 
Windows 8 will choose this web-based route. It actually offers some 
key advantages over a more traditional media-based installation. 

For example, the product key is encoded into the download and al¬ 
ready filled out in Setup. And it integrates two separate tools—the 
Upgrade Advisor and Windows Easy Transfer—for a far more seam¬ 
less, and simple, experience. 
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Of course, most people reading this are going to want a traditional 
ISO download, which can be installed easily in a new virtual machine 
(VM) or burned to DVD or USB media for installation on physical 
machines. Microsoft is offering the Consumer Preview in this format 
as well, in separate 32-bit (x86) and 64-bit (x64) versions, at the 
Windows 8 Consumer Preview ISO images website and at TechNet 
and MSDN. For these versions, be sure to make a note of the product 
key Microsoft provides, because Setup will ask for it, and, unlike with 
Windows 7 and Vista, you can’t skip that step. The downloads come 
in at roughly 2.5GB in size for the 32-bit version and 3.3GB for the 
64-bit one. And what the heck, here’s some more installation advice: 
Get the 32-bit version for VMs. It performs much faster. 

The Windows Server 8 Beta is available for download from the 
Microsoft Server and Cloud Platform website . This equates to the 
Datacenter SKU and is 64-bit only, in keeping with Microsoft’s previ¬ 
ous decision to move to 64-bit-only server OSs. But you have a choice 
of ISO (3.5GB) and VHD (virtual hard drive, 2.5GB) formats this time 
around, the latter of which is, of course, well-suited for Hyper-V, Vir¬ 
tual PC, or other compatible virtualization environments. 

Both OSs installed flawlessly on virtually (ahem) everything I threw 
at them. And Windows 8 even installed on a Windows XP-class net- 
book, though it couldn’t run any of the new Metro-style apps, which 
require a resolution of at least 1024 x 768. And although Server 8 has 
some fairly modern chipset requirements for Hyper-V, supposedly, I 
was surprised to see it easily enabled on a range of hardware devices, 
including a fairly low-end micro server and a Core 2 Duo-based desk¬ 
top I’ve requisitioned for a test server. 

If you do step through Setup manually, you’ll find the process is 
very quick for both, about 15 minutes tops if you’re babysitting it. 
Server 8 defaults to a Server Core installation if you’re not paying 
attention; you can enable the full GUI, though, which is probably a 
good idea for testing purposes. 
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What to Test: Windows 8 Consumer Preview 

I’ve written an almost embarrassing amount of Windows 8 Consumer 
Preview content on the SuperSite for Windows, so rather than reiter¬ 
ate any of it here. I’ll direct you to my Windows 8 landing page , which 
features well over 40 Consumer Preview articles (and counting). Also 
see my article “8 Days a Week: The Consumer Preview Arrives!” for a 
decent overview of some of that content, and the separate high-level 
overview of the Windows 8 Consumer Preview I wrote for this issue 
of Windows IT Pro. 

Regardless of what you read and when, the first time you sit down 
and actually use Windows 8, you’re going to run into an unavoid¬ 
able disconnect: Windows 8 doesn’t offer up a single, cohesive UI 
that works equally well on all PC types. Instead, it offers up two: a 
Metro-style UI I’ll just call Metro, and the traditional Windows desk¬ 
top. They run side by side, basically, but there’s little doubt that the 
desktop is subservient to Metro. 

There’s no real choice about which to use, either. Those with tra¬ 
ditional PCs—desktops, laptops—will stick mostly to the desktop. 
Those with next-generation tablets and, soon, hybrid PCs, will stick 
largely to Metro. What that means to you is that, for most users, for 
the foreseeable future, Windows 8 will work much like Windows 7. 
There are a few small exceptions—the Start button has been replaced 
by a Start tip that works consistently between the two UIs, for exam¬ 
ple—but for the most part, if it works in Windows 7, it works—and 
in the same way—in Windows 8. 

But there are improvements. And it might be helpful to understand 
what’s going on here from a business perspective and call out a few 
features you should look at. 

Microsoft first implemented Windows Defender in Windows Vista, 
but it gets a major update in Windows 8 and now offers full antivi¬ 
rus functionality in addition to its previous anti-malware duties. This 
means that many environments might be able to get away without a 
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third-party security solution, but you’ll want to test that. (Note that 
Windows Defender is now essentially a basic version of Microsoft 
Forefront Client Security.) 

For very modern hardware with UEFI firmware, you can now take 
advantage of two security features: Secure Boot and Measured Boot. 
Secure Boot prevents rootkit-style malware from starting before Win¬ 
dows boots; Measured Boot validates the PC’s integrity against a re¬ 
mote service. 

Microsoft first provided SmartScreen malicious download protec¬ 
tion in Internet Explorer 9. In Windows 8, it’s an optional feature 
for the Windows shell as well, meaning you can protect PCs against 
malicious software that arrives via other browsers or perhaps other 
means, like a USB memory stick. 

The best IT pro feature, arguably, isn’t ready yet. It’s called Windows 
To Go, and it will let you boot and run a dedicated Windows 8 environ¬ 
ment using a USB memory stick (or hard drive; it must be at least 32GB 
in size). This will be a very interesting solution for temporary workers 
and for people who want to travel really lightly between branch offices, 
educational institutions, and other lab scenarios. I’m told there’s a way 
to hack a Windows To Go device together using the Consumer Preview 
and the Windows deployment tools, but my efforts have been time- 
consuming wastes of time thus far. Microsoft tells me this feature will 
be fully implemented and available for testing by the next milestone, 
however. 

Finally, I should at least mention that Microsoft is obviously moving 
to a future of full-screen, Metro-style apps, and although it might be 
hard to imagine why this would be useful in the short term, consider 
that not all users need to be tethered to a big screen with a keyboard 
and mouse, and that many can get real work done with a simple 
tablet device and, perhaps, a handful of Metro-style LOB apps. Metro 
might be controversial, but it also offers a modern runtime environ¬ 
ment and modern APIs for developers. It’s something to consider. 
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What to Test: Windows Server 8 Beta 

I’ve written considerably less about the Windows Server 8 Beta so 
far, but the reason is simple: This product was better-understood at 
the Developer Preview milestone, and what we see at beta is basi¬ 
cally just a formalization and maturation of what was previously just 
promise. Server 8 is a major release of Windows Server that recasts 
this product as a true, next-generation server, where the admin or IT 
pro never sits down in front of the machine (physically, or even vir¬ 
tually, through remote desktop) and administers it as a single entity. 
Instead, servers should be GUI-less when possible, accessed remotely 
through tools, and managed together in groups. 

It’s a stunning, if obvious, vision, one that’s so clearly right that 
you’ll wonder how you lasted so long by administering individual 
servers. But getting to this idealistic future will require a lot of work, 
and a lot of training, and it involves two well-intentioned but thus far 
little-used Windows Server technologies: Server Core—which is now 
the default installation type—and Windows PowerShell. 

To the first point, Microsoft has added two huge, key improvements: 
Server Core is no longer a one-way operation, so you can move into 
(and out of) this type of installation by adding or removing roles. And 
it’s no longer so absolute: There’s a happy middle ground between 
Server Core and the full GUI, and that’s a minimal UI mode that com¬ 
bines Server Core’s command-line interface with the best tool of all, 
Server Manager. 

Speaking of Server Manager, it was a mess in the Developer 
Preview, but it’s been fine-tuned and spit-polished for the Beta with 
a less flat look and feel. It’s a nice interface, which is good because 
many admins and IT pros will be staring at this one application 
all day (preferably from a Windows desktop using Remote Server 
Administration Tools—RSAT). You can create server groups, applying 
changes and fixes to multiple machines, and it provides handy links 
to nearly every other server tool you’ll ever need. As a bonus, it can 
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generate PowerShell scripts for virtually any action, providing a way 
to automate any activity more efficiently. 

Hyper-V 3.0 is a monster of an upgrade, with support for 1TB of 
RAM per VM, VHDs of up to 64TB, support for clustering—including 
guest clustering over Fibre Channel—and more. Yes, the Metro UI is 
up front and center, though admins will be happy to know that they’ll 
boot right into the desktop—and Server Manager—if they leave the 
Aero Basic scheme intact (which I recommend). A new Microsoft On¬ 
line Backup Service offers cloud-based backup to the cloud and easy 
recoverability. 

Although much about Server 8 was previously known—and you 
can learn a lot more in my Windows Server 8 Preview —there are 
some new features in this release as well. The new Resilient File 
System (ReFS) has been implemented, and although you can use it 
only for file servers, it should provide a compelling large-disk solu¬ 
tion, especially when paired with the Storage Spaces feature, which 
duplicates data automatically between multiple storage devices. You 
can enable SMB encryption, which can protect data from attacks on 
untrusted networks with just a small performance hit. In a similar 
vein, those with SMB2 file shares can now protect the integrity of 
data with the Volume Shadow Copy Service (VSS). And a new feature 
called SMB Directory Leasing improves application response times in 
branch offices by reducing the roundtrips required between client and 
server, according to Microsoft. 

New Features, One Big Leap 

You get the idea: Server 8 has hundreds of new features, but the really 
big functional leap is going to involve remote and multiserver admin¬ 
istration and a new emphasis on server technologies such as Server 
Core and PowerShell that many admins, frankly, find difficult. It’s an 
exciting time to learn new skills, however, and the Server 8 Beta is an 
ideal place to start. ■ 
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Search-ADAccount 

Top to Bottom 

This command is a terrific way to discover troubled 
accounts, and it can help solve many Active Directory 
cleanup problems 

I n my past few columns. I’ve been showing you search-adaccount, 
a Windows Server 2008 R2 cmdlet designed to accomplish a small 
but oft-needed set of queries. Now it’s time to really dig into its 
syntax. Basically, most search-adaccount commands look like 

search-adaccount -usersonly option [-searchbase...] 


Clearly, it’s a case of carpal tunnel syndrome in the making. But you 
can make it a bit better. The -usersonly parameter is the only one 
that starts with u, so you need never write -usersonly again—the u 
will suffice. And before you ask, there isn’t a short name (or alias, 
in PowerShell talk) for search-adaccount. Note that there’s also a 
-computersonly parameter (which you can shorten to - co ) that reports 
only on troubled machine accounts in Active Directory (AD), and 
there’s a -credential parameter for search-adaccount. 

Now I can quickly cover search-adaccount’ s capabilities. 

Disabled accounts. Add the -accountdisabled parameter (shorten it 
to - accountd ) to see your domain’s disabled accounts, as in 

search-adaccount -u -accountd 
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You’ve met the -searchbase (or - searchb ) parameter that lets you restrict 
the get-adnsers command to only perform its query in a part of AD, and 
you can use it in search-adaccount as well. To look for disabled user ac¬ 
counts in an organizational unit (OU) called Pungo, you could type 

search-adaccount -u -accountd -searchb 
"ou=pungo,dc=bigfi rm,dc=com" 

Locked-out accounts. Search-adaccount’ s -lockedout parameter 
(which you can shorten to simply -l) essentially works identically to 
the -accountdisabled parameter. To create a table of the locked-out 
accounts and the last time they logged on, you could type 

search-adaccount -u -1 | ft name,lastlogondate -auto 

(Recall that ft is an alias for format-table.) You could even jazz it up a 
bit and sort the table by the last time the locked-out users were suc¬ 
cessful at logging on, and then give that to format-table: 

search-adaccount -u -1 | sort -pr lastlogondate | ft 
name,1astlogondate 

Inactive accounts. The -accountinactive parameter lets you find 
people who haven’t logged on since a given day (using the -DateTime 
parameter) or a certain number of days (using the -TimeSpan param¬ 
eter). You can shorten -accountinactive to -accounti. To see the people 
who haven’t logged on in the past 50 days, type 

search-adaccount -u -accounti -timespan "50" 

or, pursuing our never-ending quest for the shortest commands, 

search-adaccount -u -accounti -t "50" 
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Note that you absolutely must put the 50 in quotes; otherwise, search- 
adaccount will show you everyone who hasn’t logged on in the past 
15 or so days. (The command ignores numbers not in quotes, and 
you get no error message—and an absence of parameters means “in 
the past 15 days.”) You can use the -DateTime parameter (which 
shortens to -da) to ask who hasn’t logged on since a particular date, 
although recall from a previous column that search-adaccount builds 
in a 15-day grace period in recognition of an AD quirk about keep¬ 
ing “last logon time” information for a user account. Thus, the com¬ 
mand 

search-adaccount -u -accounti -da "29 oct 2011" 

would intend to show you the user accounts that last logged on before 
October 29, 2011, as well as those that have never logged on. Because 
of the built-in 15-day “slop,” in reality you’ll see accounts whose 
last logon date was around mid-October. Notice that, like -TimeSpan, 
-DateTime requires that its date be surrounded by quotes. 

Accounts whose passwords have expired. Here’s another nice 
simple capability, employing the -passwordexpired parameter, which 
shortens only to -passworde. I wish I could tell you that you could 
add -datetime or -timespan to find accounts whose passwords are 
nearly expired, but the cmdlet doesn’t do that, unfortunately. 

Expired or soon-to-be-expired accounts. The -accountexpired and 
-accoantexpiring parameters do the job here. Same story: -searchbase 
works for both; -datetime and -timespan work for -accountexpiring. 
It’s a nice tool for cleaning up the long-unused accounts. 

Search-adaccount is a terrific way to find troubled or suspicious ac¬ 
counts. In tandem with get-aduser, it can help solve many AD cleanup 
problems. But it doesn’t do the whole job, and that’s why we’ll meet 
some more cmdlets next month. ■ 
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New Features in 
Hyper-V 3.0 

More powerful VMs and better networking capabilities 
await you in Microsoft's next virtualization release 
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M icrosoft’s Hyper-V virtualization platform has long been the 
runner-up to VMware’s vSphere in the enterprise virtualiza¬ 
tion race. The upcoming release of Windows Server 8 with 
its new Hyper-V 3.0 virtualization capabilities promises to change all 
that. With what is essentially its third release of the Hyper-V plat¬ 
form, Microsoft has made tremendous strides in leveling the playing 
held with vSphere. Let’s take a look at the top 10 new features in 
Hyper-V 3.0. 

© VMs with 32 vCPUs — Previous versions of Hyper-V were 
limited to four virtual CPUs (vCPUs) per VM, which was adequate for 
smaller servers but obviously wasn’t able to support workloads with 
very high scalability requirements. Hyper-V 3.0 VMs will support up 
to 32 vCPUs, which is adequate for almost all workloads. 


© VMs with 512GB of RAM — Another huge advance in VM 
scalability is support for up to 512GB of RAM per VM. This is a big 
increase over previous Hyper-V VMs, which were limited to 32GB of 
RAM. VMs that support 32 vCPUs and 512GB of RAM provide 
scalability comparable to vSphere 5.1. 


© 16TB VHDX format — Another scalability enhancement that 
Microsoft has added to Hyper-V 3.0 is support for a new Virtual Hard 
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Disk (VHD) format called VHDX. The VHDX format provides support 
for VHDs with up to 16TB of storage. Previous versions of the VHD 
format were limited to 2TB. 

(4) Multiple concurrent Live Migrations and Storage Live 
Migrations — Live Migration was added to Hyper-V 2.0, which was 
introduced with Windows Server 2008 R2. It let you move VMs 
between hosts in the same cluster with no downtime. However, it was 
limited to performing a single Live Migration per occurrence, and 
migrating VM storage still required downtime. Hyper-V 3.0 addresses 
both of these problems by allowing for unlimited multiple concurrent 
Live Migrations as well as introducing Storage Live Migrations. 

(5) Hyper-V Replica — A completely new feature in Hyper-V 3.0, 
Hyper-V Replica, is a disaster-recovery solution for VMs that doesn’t 
require an expensive SAN. Hyper-V Replica provides asynchronous 
replication of VMs from a primary site to a backup site without the 
need for specialized storage or networking hardware. In the event of 
a failure at the primary site, the administrator can fail over to the 
replica VMs at the disaster-recovery site. 

(6) Extensible virtual switch — The virtual networking capabilities 
provided by Hyper-V 3.0 have been significantly enhanced. Microsoft’s 
new virtual switch can provide minimum and maximum bandwidth 
guarantees. The virtual switch is also extensible through an API that 
allows capture, filtering, and forwarding extensions to be added to 
the switch. Microsoft will subject all Hyper-V virtual switch extensions 
to testing through a new logo program. 

(7) 63-node clusters — Although this isn’t strictly a virtualization 
feature, Hyper-V 3.0 can take advantage of Windows Server 8’s vastly 
expanded clustering capabilities. Earlier versions of Windows Server 
Failover Clustering were limited to 16 nodes. Windows Server 8 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / May 2012 



Hyper-V 3.0 
VMs will 
support up 
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supports clusters with up to 63 nodes and up to 4,000 VMs per cluster. 
Cluster nodes can be physical systems or they can be VMs. Clusters of 
VM guests can span multiple virtualization hosts. 

(8) Support for native NIC teaming — Another important under¬ 
lying enhancement to Windows Server 8 that Hyper-V 3.0 can leverage 
is Windows Server 8’s native support for NIC teaming. NIC teaming 
was possible in earlier versions of Windows Server. However, you 
needed specialized NICs from either Intel or Broadcom. Windows 
Server 8’s NIC teaming works over all types of heterogeneous NICs 
and can be used by Hyper-V 3.0 virtual networks. 


( 9 ) Affinity and anti-affinity rules — With Hyper-V 3.0, adminis¬ 
trators can use affinity and anti-affinity rules to control when multiple 
VMs should fail over together or to prevent specific VMs from run¬ 
ning simultaneously on the same virtualization host. Affinity and 
anti-affinity are configured by setting the cluster service properties. 

(JO) Hyper-V client — One surprising move was support for Hyper-V 
on the desktop. Hyper-V 3.0 will be built in to the client version of 
Windows 8. Unlike the older Microsoft Virtual PC, Hyper-V on the 
client will run directly on the system hardware. And unlike Hyper-V 2.0, 
it will also support power-management functions such as suspend 
and hibernate. ■ 
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Windows Server 8 
Active Directory 

Moves Forward 

Evolutionary but much-needed changes to the world's most 
popular identity system 


I n this month’s column, I’m going to review the major identity and 
security changes that Microsoft has incorporated into Windows 
Server 8. Mind you, these changes qualify as evolutionary rather 
than revolutionary; they build on and extend the solid Active Directo¬ 
ry (AD) foundation that we already have. Microsoft Program Manager 
Nathan Muggli once said, “Designing changes to Active Directory is 
like ordering pizza for a million people; everyone wants something 
different.” You don’t want to rock the boat that holds 75 percent of 
every midsized and enterprise business in the world. But evolution¬ 
ary steps are important, too, and they can indicate a product’s future 
direction. In Windows Server 8 identity and security, these evolution¬ 
ary steps involve data governance, AD, and virtualization. 

Data Governance 

Before I dig any deeper into Server 8’s identity changes, I need to 
point out a change that Microsoft made in Windows Server 2008 R2: 
File Classification Infrastructure (FCI). This new capability slipped 
beneath my radar, and perhaps yours, because it’s a file system fea¬ 
ture rather than an identity feature. You’ll see how FCI gets involved 
with identity shortly, but first let me explain what FCI is. 
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FCI provides the ability to define file-classification properties for 
your file servers, to automatically classify files according to the folder 
in which the hie is located or according to the content of that hie, to 
apply hle-management tasks such as hie expiration and custom com¬ 
mands based on a hle’s classihcation, and to produce reports that 
show the distribution of a classihcation property on the hie server. 
With FCI, an end user (such as the content owner) can manually 
classify a hie, or line-of-business (LOB) applications can program¬ 
matically set classihcation properties to hies. You can even use FCI 
to search hie content for sensitive words or patterns such as Social 
Security numbers, and automatically classify the hie as sensitive or 
containing personally identihable information (PII). 

What’s so useful about this? With FCI, administrators can—for 
example—automatically move data from expensive online storage 
to less expensive, slower storage based on a hle’s classihcation and 
on policies you dehne. Or you can set hies to expire after a certain 
amount of time. You can play with FCI through the File Server Re¬ 
source Manager (FSRM) utility by installing this hie server role fea¬ 
ture, then launching it from Administrative Tools. This is the same 
utility that lets you control quota, screening, and storage reports. 
What’s relevant to this discussion, though, is that FCI provides one 
of the building blocks for a really big Server 8 identity and security 
feature: Dynamic Access Control (DAC). 

DAC is one of the many powerful new features of Server 8, and 
I’ve written about it in “ Exploring Windows Server 8: Dynamic Access 
Control .” At its highest level, it’s about information governance: classi¬ 
fying what data is on your hie servers, being able to exert a high degree 
of control over that data, and being able to demonstrate (e.g., audit) 
that you have that control. This is a critical need in the IT infrastructure 
now, driven by the combination of explosive data growth, the increase 
in external threats, and the cost of a security breach. FCI is a building 
block for DAC because FCI provides the hie classihcation and tagging 
engine that DAC depends on to apply its policies. 
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Another beneficiary of the DAC project is AD. Tagging and classifying 
hie server data is great, but its usefulness is limited if you can’t control 
access to this data based on the new, finer level of detail you have. To 
control access at this level, you must make significant changes to the 
Local Security Authority (LSA) on the hie server and in AD. I’ll leave 
the hie server changes for another time, but the changes in AD are 
vital, and they point the way toward AD’s future. 

To support this greater degree of access control on hie servers—and 
on all resources that support access control lists (ACLs) in future OS 
releases—AD must support claims. If you aren’t familiar with claims, 
they’re simply another facet of asserting identity; a claim is information 
(e.g., an email address) that a trusted source (e.g., your local certifi¬ 
cate authority—CA) makes about an entity (e.g., your user account). 
Claims are already the lingua franca of cloud identity, and they’re a 
basic component of federation technology that allows us to securely 
extend local identity to cloud services. But until Server 8, AD had no 
knowledge of claims; we had to rely solely on Active Directory Fed¬ 
eration Services (AD FS) to transform AD attributes to claims. These 
claims were consumed mostly by external services because traditional 
enterprise applications didn’t understand them. That’s changing, and 
AD is changing to accommodate them. This change to AD is very im¬ 
portant, and every AD administrator needs to start wrapping his or her 
head around claims-based identity because it’s going to be a part of the 
future. 

For Server 8 improvements that focus on AD, the biggest investment 
the AD team made was to spend a lot of effort on making AD easier to 
deploy. Anyone who has spent any time on AD-related forums knows 
that deployment questions about Adprep, Dcpromo, duplicating and 
virtualizing domain controllers (DCs), and DNS-related deployment 
decisions are the most common. These changes definitely fall into the 
“evolutionary” category, because they’re refinements of existing AD 
functions. 
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The upgrade and promotion of DCs has been dramatically simpli¬ 
fied. Dcpromo is now the Active Directory Domain Services Configu¬ 
ration Wizard, which is fully integrated with Server Manager. (See 
my article “ Upgrading Active Directory to Windows Server 8 ” for a 
screenshot gallery of the promotion process.) It’s very easy to use, but 
more important, the configuration wizard does a ton of work under 
the covers to make promotion as painless as possible. 

The first thing it does is take care of the Adprep /forestprep and 
/domainprep process automatically (although you can trigger it 
manually if you want to). Dean Wells, a former top AD consul¬ 
tant who is now on the Microsoft AD team, flatly stated that it 
was a mistake to expose the Adprep process to administrators; the 
amount of fear and support calls it generated far outweighed the 
actual problems caused by the process. The promotion process also 
performs a thorough validation of environment-wide prerequisites 
before it begins the deployment, so if you have major problems in 
your AD environment, the promotion won’t even continue. It has 
also become much more tolerant of transient network failures, has 
some enhanced install from media (IFM) options, and is now fully 
remoteable. 

Virtualization 

Another aspect of simplifying AD deployment is making virtual DCs 
a bulletproof option—and when that happens, DC cloning becomes 
safe, too. Restoring a virtual DC from an image backup or an earlier 
snapshot risked causing damage (USN rollback) to the referential 
integrity of the entire distributed AD database in a domain or forest 
because, unlike a standard restore process, the restored DC had no 
idea it had been restored. Server 8 Active Directory Domain Ser¬ 
vices (AD DS) introduces the VM-Gen ID, a unique 64-bit identifier 
(much like a GUID) associated with the hypervisor. The purpose of 
the VM-Gen ID is to detect VM snapshot instances and pass them 
to the virtual machine (VM). With this notification, the DC will 
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deploy safeguards (such as discarding the record identifier—RID— 
pool and resetting the invocation ID) to prevent USN rollback from 
occurring. 

DC cloning, which these “virtualization-safe” improvements have 
made a safe and supported option, really has a lot of potential. It 
can make the actual promotion process a rare occurrence, because 
why should you go to the trouble of running a new promotion when 
you can simply clone a new DC from an existing one? And it’s very 
fast. 

DC cloning also has an enormous benefit in an area that’s not yet 
appreciated: forest recovery in the event of a disaster. In today’s sup¬ 
ported configuration, to recover a forest you restore a seed forest of 
DCs (one per domain), then run Dcpromo on other DCs until you have 
enough DCs in the environment to support your users. The problem 
is that Dcpromo is time consuming, even if you IFM instead of doing 
a network promotion. A “forest down” situation is an administrator’s 
nightmare, and every second you spend in recovery means thousands 
of dollars. DC cloning will enable you to simply make clones of the 
seed forest DCs—a much faster operation than IFM or network pro¬ 
motion. You might be able to justify a Server 8 AD upgrade on these 
potential cost savings alone. 


Every AD 
administrator 
needs to start 
wrapping his 
or her head 
around claims- 
based identity 
because it’s 
going to be a 
part of the 
future. 


Substantial Improvements 

The Directory Services team has posted a good entry that lists new 
Understand and Troubleshoot guides and test lab guides for various 

Server 8 AD technologies . These updates mean that not only will 
expanding that AD environment be easier for cloud data centers; 
it will also be easier for small-to-midsized businesses (SMBs) that 
don’t have an AD specialist. As I mentioned, these changes to AD 
in Server 8 might not be revolutionary, but that’s OK. We don’t need 
revolutionary changes in this area anymore. What we need are sub¬ 
stantial improvements, and the AD team has delivered them. ■ 
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The Most Confusing 

Dialog Box in 
Active Directory 

This breakdown of Kerberos settings and how they 
correspond to AD provides much-needed clarity 

O ne of Microsoft’s most blogged-about and documented tech¬ 
nologies is Kerberos authentication. That’s a little odd, given 
that there have been no significant changes to Kerberos and 
its functionality since the release of Windows Server 2003. And yet 
Kerberos keeps getting documentation. 

This ongoing need to clarify how Kerberos works and how it fails 
is a result of the fact that—although Kerberos remains the same—the 
services that use it and the ways they use it are often unique. The as¬ 
pects that remain the same in each scenario, however, are what the 
settings in Active Directory (AD) are intended to address, as well as the 
difficult-to-interpret messages you’ll see when things fail. 

In this article. I’ll try to provide some clarity about what I call “the 
most confusing dialog box in AD,” which is the Delegation tab in 
the object’s Properties in the Microsoft Management Console (MMC) 

Active Directory Users and Computers snap-in (dsa.msc). I’m going 
to talk about what you can expect to see at the attribute level for the 
different configurations. This is important because if you know what 
the different settings that can be configured in AD for a service do, 
you can make sense out of what settings you might need for an ap¬ 
plication or service that uses Kerberos delegation. 
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Figure 1 

The Delegation tab 


Figure 2 

What I would have 
named the Delegation 
selections 


A Simple Ul 

Why spend time looking at a “simple” UI? In Microsoft support, we 
spend time delving into items like this because once you know how 
things work under the hood, you have a better idea of how to fix 
them when they’re broken. So, let’s go over what those settings are. 
If you open the Active Directory Users and Computers snap-in and go 
to a computer account’s Properties, you’ll see the Delegation tab— 
provided that your forest is at Server 2003 Forest Functional Level or 
above. Figure 1 shows the tab in question. Now, let’s dissect what 
the radio buttons in that figure do. In the matrix that Figure 2 shows, 
I interpret what the selections really mean and I share alternative 

names that I might 
have used if I had 
named them. 

Before we get too 
deep into the settings, 
let’s talk briefly about 
what Kerberos del¬ 
egation is. Delegation 
(aka impersonation 
or simple delegation) 
is the act of an appli¬ 
cation or service get¬ 
ting Kerberos tickets 
to gain access to re¬ 
sources on a remote 
computer on behalf 
of a user. The identity 
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that’s trusted for that delegation is the service account that the ap¬ 
plication is running as. This allows the application to gain access 
only to resources the user would have access to and to provide that 
information back to the user. A typical scenario would be a web 
server connecting to a SQL Server system to display data to a user on 
a web client. 

The top two settings in Figure 1 are self-explanatory. The third is 
essentially Kerberos Constrained Delegation (KCD), which is like sim¬ 
ple delegation but guarantees that the identity being impersonated 
will be impersonated only to specific services on specific computers. 
This setting is a security enhancement because where and how a user 
can be impersonated is limited, so that if a service identity that is be¬ 
ing trusted for delegation is ever compromised, the effect is limited 
to being able to access only those specific resources on the remote 
servers that are manually selected for constrained delegation. 

The fourth setting in Figure 1 allows KCD as well as Services for 
User. S4U allows for more advanced functions—such as protocol tran¬ 
sition—and is actually pretty complex. What is protocol transition? It 
occurs when an incoming client authenticates with a protocol other 
than Kerberos and then is transitioned to Kerberos. For detailed docu¬ 
mentation about S4U, check out “ Exploring S4U Kerberos Extensions 
in Windows Server 2003 ” and “ Protocol Transition with Constrained 
Delegation Technical Supplement .” Those resources target program¬ 
ming, not administration, but from an administrator’s point of view, 
it’s important to understand what S4U is, how it’s configured, and 
whether you’re using it. To that end, here’s an IT administrator’s 
short-and-sweet list of what S4U allows: 

• Obtain information about the user’s token information without 
actually having the token and without the trusted service iden¬ 
tity ever having received a ticket-granting ticket (TGTJ from the 
trusting user or having access to the credentials. This information 
could then be used for authorization checks, for example. This is 
known as Services-For-User-To-Self (S4U2Self). 
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• Obtain tickets without the need to obtain a Kerberos service ticket 
minus access to credentials or a TGT or any authentication at all. 
This is called Services-For-User-To-Proxy (S4U2Proxy). 

• Perform protocol transition, as I discussed earlier. Clients commu¬ 
nicating to enterprise services won’t initially authenticate using 
Kerberos. S4U allows a trusted service to take an authenticated 
user’s session and transition it to using Kerberos. This is actually 
the most common source of misconfiguration failures because 
applications typically do a poor job of documenting whether 
they need protocol transition and how to set it in AD. This one 

is perfect because nowadays we can’t even write an article with¬ 
out mention of “the cloud.” NTLM is the authentication method 
that will most often be seen from clients connecting across the 
cloud because no domain controllers (DCs) would be available to 
answer Kerberos service ticket requests on the Internet. Protocol 
transition can be used to connect across a firewall or proxy soft¬ 
ware using one authentication method, such as NTLM, and transi¬ 
tion that domain user to using Kerberos authentication for further 
actions that take place within the corporate network. Because 
“cloud” essentially means connecting across the Internet, you can 
bet that if you’re using some cloud-based solution you’ll eventu¬ 
ally end up using (or wanting to use) Kerberos protocol transition. 

Under the Hood 

Now, let’s go over what happens under the hood when you alter those 
four settings by using LDP to view the attributes set for each of these 
configurations. LDP is a tool installed with the AD Domain Services 
role, by default, which can be used as a GUI-based LDAP-querying tool. 
LDP is basically a tool to let you construct your own LDAP queries and 
see the results in a relatively nice, friendly interface. The added value 
in using LDP to look at values such as userAccountControl is that 
LDP will interpret computed flag values into human-readable results 
instead of leaving them as a combination of numerical values. To be 
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fair, later versions of adsiedit.msc will perform that flag-value compu¬ 
tation for you as well, but I’m partial to the “old school” LDP tool and 
its versatility. 

In other words, in Windows Server 2008 and later, ldp.exe and 
adsiedit.msc are useful for automatically translating values and flags 
(e.g., userAccountControl) so that you don’t have to open calc.exe 
and refer to the online documentation on MSDN or in the Microsoft 
Knowledge Base. 

I’ll now show you the Active Directory Users and Computers snap- 
in you work with, then show you the changed attributes in LDP. 

Do not trust for delegation. Let’s start with an account that isn’t 
trusted for delegation. In Figure 3, note that Test2 isn’t trusted and that 
the userAccountControl value of 1020 hexadecimal (4128) translates 
to WORKSTATION_TRUST_ACCOUNT and PASSWD_NOTREQD. 

7 fust for delegation. Figure 4 shows an account that is trusted for 
delegation. You can clearly see TRUSTED_FOR_DELEGATION in the 
translated userAccountControl flags. This flag is what allows simple, un¬ 
constrained Kerberos delegation to take place for that service identity. 

Trust for delegation to specified services. These next settings can 
make or break you if you want to use S4U or KCD. In this case, you’ve 
selected the Trust this computer for delegation to specified services 
only button, as well as the first choice underneath that. Use Kerberos 



Figure 3 

Not trusted for 
delegation 
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Figure 4 

Trusted for delegation 



only. As Figure 5 shows, this option sets the userAccountControl flag 
back to WORKSTATION_TRUST_ACCOUNT only and populates the 
MsDS-AllowedToDelegateTo attribute automatically with any selected 
services you’ll allow delegation to. This attribute isn’t populated or 
touched by any other routine. These entries are the specific services 
on the specific computer that delegation will be allowed to. 

The second option here is the less secure Use any authentication 
protocol radio button, which allows for protocol transition and other 
advanced uses. In addition to the MsDS-AllowedToDelegateTo en¬ 
tries, this setting changes the userAccountControl attribute to contain 


Figure 5 

Trusted for 
Kerberos only 
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the flag for TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (aka 
T2A4D), as Figure 6 shows. Without the T2A4D flag, you can expect 
protocol transition to fail. This flag isn’t used or populated by any other 
component. Note that this simple radio button is extremely important 
because without it selected, S4U2Self, S4U2Proxy, and protocol transi¬ 
tion will behave differently and can cause problems for applications 
and services that expect these kinds of tickets. In the case of protocol 
transition, it will fail. No ticket will be issued. For S4U2Proxy and 
S4U2Self, they will fail to have the forwardable flag present, which 
also results in a failure in every case for S4U2Proxy and in situations 
where S4U2Self needs to send a ticket to another service or host. 
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Trusted for any 
authentication 
method 


Do It Yourself 

What happens if the service account that an application or service 
is running as must perform an action that requires protocol transi¬ 
tion, and the Delegation tab is configured for Use Kerberos only and 
not Use any authentication protocol ? The client application failure 
could be an Access Denied error when you’re attempting to ac¬ 
cess a resource on the network, or could be a silent failure over 
to NTLM and succeed with access, or could give an unexpected 
application-specific error. The ambiguity of how the failure would 
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appear accents some of the pain of this kind of problem. However, 
the most likely result would be an Access Denied error message. 
In this situation, be sure to check the application or service docu¬ 
mentation to see if they state that protocol transition or TGT-less 
service ticket requests will take place. The problem is that most 
documentation doesn’t truly understand what KCD configuration 
means, and as a result it doesn’t explain it well or even at all. 

The do-it-yourself way to figure out a failure would be to simply 
gather a network trace from the server that’s trusted for delegation as 
the issue happens. Once you have that capture, filter it for Kerberos 
(. Kerberosv5 in Microsoft Network Monitor or kerberos in Wireshark). 
The service ticket request (TGS_REQ) will be sent to the AD Kerberos 
Distribution Center (KDCJ for the ticket, and the service ticket request 
will contain KDC options that have the Constrained Delegation flag set. 
The server response (TGSJREP) will contain the error KDC_ERR_BAD_ 
OPTION, which will be easily seen in the network parser, and the ticket 
won’t be issued. 

More information about how the Microsoft Kerberos implementation 
works can be found in the online Open Protocol specification. “ Kerberos 
Protocol Extensions ” provides general Kerberos documentation, and 
“ Kerberos Protocol Extensions: Service for User and Constrained 
Delegation Protocol Specification ” provides documentation about 
Kerberos Constrained Delegation and S4U. 

A Perfect World 

Hopefully, this breakdown of what the UI settings for Kerberos are 
and what they correspond to in AD helps make sense of things. In a 
perfect world, the documentation of the services that you’re admin¬ 
istering would provide the technical guidance on how to configure 
them correctly for authentication. But in case it doesn’t, this informa¬ 
tion should improve your tool set. Knowing what should be present 
when things are working is half the battle. ■ 

InstantDoc ID 142572 
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FAQ 


Answers to Your Questions 


■ Where is HyperTerminal in Windows 7? 

■ Windows XP had an application called HyperTerminal that 

■ was great for communicating with COM ports and perform¬ 
ing Telnet operations. It’s no longer provided in Windows 7. 

A great alternative I use is PuTTY, which is a free program avail¬ 
able at the download page for PuTTY . However, if you really want the 
original XP HyperTerminal, do the following: 

1. Open the Windows XP CD-ROM, navigate to the 1386 folder, and 
copy the four HYPERTRM. * hies (.CH_, ,DL_, ,EX_ and .HLJ to 
a local folder. 

2. Open a command prompt at the folder where you copied the 
four hies. 

3. Expand them with the EXPAND command: 

D:\Temp>expand -R hyper*.* d:\temp 

This is the output that results: 

Microsoft (R) File Expansion Utility Version 6.1.7600.16385 
Copyright (c) Microsoft Corporation. All rights reserved. 

Adding d:\temp\hypertrm.chm to Extraction Queue 
Expanding Files .... 



Mike Danseglio 
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Expanding Files Complete ... 

Adding d:\temp\hypertrm.dll to Extraction Queue 
Expanding Files .... 

Expanding Files Complete ... 

Adding d:\temp\hypertrm.exe to Extraction Queue 
Expanding Files .... 

Expanding Files Complete ... 

Adding d:\temp\hypertrm.hlp to Extraction Queue 
Expanding Files .... 

Expanding Files Complete ... 

XP HyperTrm.exe is now on your Windows 7 machine. 

—John Savill 
InstantDoc ID 142183 


Q u In XenDesktop, in what order must the 

■ XenDesktop Virtual Desktop Agent and VMware 
Tools be installed onto a vSphere virtual machine? 

A a Citrix XenDesktop serves a unique role in that it layers atop 
■ a data center’s virtualization infrastructure and works in col¬ 
laboration with the data center’s application delivery infrastructure. 
As a result, the network delivery aspect of XenDesktop’s virtual ma¬ 
chines (VMsJ requires that those VMs support some Citrix drivers in 
addition to some VMware drivers. 

One such driver is the Windows Display Driver Model (WDDM), for 
which both VMware and Citrix drivers exist, but only Citrix’s drivers 
work in a XenDesktop infrastructure. As a result, XenDesktop’s Virtual 
Desktop Agent must be installed after the installation of the VMware 
Tools so that Citrix’s WDDM driver replaces the equivalent driver from 
VMware. 

—Greg Shields 
InstantDoc ID 142251 
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Q b When creating a new library in Microsoft System 
■ Center Virtual Machine Manager 2012, how do I 
make sure the default library content is added to the 
new share? 

A b When System Center Virtual Machine Manager (VMM) 2012 
b is installed, certain resources are added to the default library, 
such as blank virtual hard disks (VHDs), both large and small, and 
custom resources that contain assets such as scripts and executables 
used for Server App-V and web deployments. To make sure these as¬ 
sets are copied to new library servers, select the check box for Add 
Default Resources (see Figure 1) when selecting the hie share. 

If you forget to do this, just open Windows Explorer on the default 
library, then manually copy the resources to the new library server 
hie share. Then refresh the library share so the new content is dis¬ 
covered. 

—John Savill 
InstantDoc ID 142184 
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Machine Manager 
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Q u The Intel Wi-Fi LAN card in my company’s 
■ Windows 7 laptops has the option to select 
between auto 20/40MHz and 20MHz only. What does 
the auto 20/40MHz setting mean? 

A h The newer 802.lln radio can use either a 20MHz or a 40MHz 
■ channel. Just like in wired communications, the larger the 
bandwidth, the higher the transmitted data rate. All else being equal, an 
802.lln device transmitting on a 40MHz channel can transmit at more 
than twice the data rate of an 802.lln device transmitting on a 20MHz 
channel. Therefore, it’s desirable to transmit using the 40MHz channel. 

Conversely, if you’re transmitting on a 40MHz channel, you’ll cause 
more interference than if you’re transmitting on a 20MHz channel. To 
minimize the impact of the interference, an 802. lln Access Point (AP) 
will do channel assessments. 

The AP will use a 40MHz channel if there’s no notable noise on 
the channel but will automatically drop back to 20MHz if it detects 
notable noise. This automatic switching between 40MHz and 20MHz 
is called auto 20/40MHz. 

There might be situations in which you want the AP to always op¬ 
erate in a 20MHz channel. For example, if you were deploying mul¬ 
tiple APs in the 2.4GHz frequency band, there isn’t enough spectrum 
available to implement 40MHz channels. In this case, you would se¬ 
lect the 20MHz option. 

—Avril Salter, Mike Danseglio 
InstantDoc ID 142414 

Q m In Windows Vista and later, how do I stop Remote 
■ Access Service connections from closing at logoff? 

A h In Windows XP, creating the DWORD registry value HKEY_ 
■ LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current 
Version\Winlogon\KeepRasConnections and setting it to 1 would 
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keep Remote Access Service (RAS) connections open even after a 
logoff. This no longer works in Windows Vista and later. However, all 
that has really happened is the key has changed. For Vista and later, 
perform the following: 

1. Start the registry editor (regedit.exe). 

2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ 
Services\RasMan\Parameters. (If the key doesn’t exist, create it.) 

3. Create a new value called KeepRasConnections, of type REG_SZ. 

4. Set the new value to 1. 

—John Savill 
InstantDoc ID 142186 


O" 

■ Where is the SMI-S provider for my SAN? 

A a Storage Management Initiative Specification (SMI-S) is a stand- 
■ ard developed by the Storage Networking Industry Association 
(SNIA) Storage Management Initiative (SMI) and others. It enables a 
common approach for interacting with storage systems such as SANs. 
The SMI-S provider typically runs on a separate OS instance such as 
Windows Server (which could be virtualized) and provides the SMI-S 
service, which communicates with the actual SAN. Alternatively, the 
SMI-S provider might actually run on the SAN itself. 

It’s important to know where it runs, because when the SMI-S client 
is configured, it needs to point to the SMI-S provider and not the SAN. 
If the SMI-S provider isn’t hosted on the SAN, you must identify where 
the SMI-S provider is installed and point the SMI-S client to it. 

—John Savill 
InstantDoc ID 142187 

Q a What could prevent security policy settings that 
■ have been defined in a domain-wide Group Policy 
Object (GPO) from being applied to Windows 7 clients? 
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Figure 2 

The esentutl.exe 
command showing a 
healthy database 


A m This problem can be caused by a corrupt security database 
■ on your Windows 7 client. For applying the security policy 
portions of a GPO on a Windows machine, Windows uses the secedit 
configuration engine and its local security database, secedit.sdb. The 
secedit database can be found on every Windows box in the \% windir% 
\security\database file system folder. If the secedit database gets cor¬ 
rupted, it can prevent the security policy settings that are defined in 
a GPO from being correctly applied on a machine. 

You can check the health of secedit.sdb by using the esentutl.exe 
command, as follows: 

esentutl /g %windi r%\secunty\database\secedit.sdb 

If esentutl finds errors during the health check, the output of the 
above command will contain the message “This operation may find 
that this database is corrupt. ” If the database is healthy, you should 
get output similar to that illustrated in Figure 2. 

Esentutl also provides an option to repair or recover the secedit da¬ 
tabase. Microsoft recommends you follow specific steps, depending on 
the location of the edb.log and the edb.chk files. If the edb.log file and 
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the edb.chk file are both in the \%windir%\security folder, you must 
run the following esentutl command to recover the security database: 

esentutl /r edb /I %windir%\security /s %windir%\security 

The /r switch refers to recovery mode and makes esentutl attempt 
to bring the databases to a clean state. It rebuilds the database using 
log entries, which explains the use of the /I and /s switches. The /I 
switch points the command to the log hies (*.log), and the /s switch 
points the command to the location of the checkpoint hies (*.chk). 

If the edb.log or edb.chk hie is missing from the \%windir%\security 
folder, or if neither hie exists in this folder, you must run the follow¬ 
ing esentutl command to repair the security database: 

esentutl /p %windir%\security\Database\secedit.sdb 

The /p switch refers to repair mode and makes esentutl attempt to 
repair a corrupted or damaged database. 

—Jan De Clercq 
InstantDoc ID 141782 

Q a How can I have Microsoft Outlook automatically 
a close the original message window after a reply 
is sent? 

A a When you open an Outlook message in its own window, by 
a default that window remains open until you close it. Howev¬ 
er, Outlook has a setting that will automatically close messages when 
you reply to or forward them. In Outlook 2007, you can enable this 
setting by going to Tools, Options to open the Options dialog box. On 
the Preferences tab, click E-mail Options. In Outlook 2010, the setting 
is found by going to File to enter the Backstage area, then Options. 
Select the Mail option in the left pane, and scroll down to the Replies 
and forwards section, as Figure 3 shows. 
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Figure 3 

Option to close the 
original message on 
replies and forwards in 
Outlook 2010 



Select the check box beside Close original message window when 
replying or forwarding to activate this feature. You don’t need to re¬ 
start Outlook for it to take effect. However, this feature requires that 
the message is open in its own window, not replied to or forwarded 
from the Reading Pane. It’s also an all-or-nothing setting in that it ap¬ 
plies to all accounts in your Outlook profile. 

You might have some instances where you want to forward the same 
message to multiple recipients but not at the same time. You’ll either 
have to forward the message when viewed from the Reading Pane or 
just reopen the message after each forward you send if you need to 
send it again. Ideally, this situation won’t happen often, and this little 
automation can save some users a few minutes in their busy day. ■ 

—William Lefkovics 
InstantDoc ID 142587 
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Plan for increasing loads and expanding deployments 


I n April 2012, Microsoft SharePoint 2010 reached its 2-year anni¬ 
versary. Although I still hear about new SharePoint deployments, 
organizations that have been using the product for a year or lon¬ 
ger are broadening its scope and increasing their dependency on it. 
Whereas many started off using SharePoint for basic collaboration, 
other workloads—such as those for business intelligence (BI), Enter¬ 
prise Content Management (ECM), and social networking—are be¬ 
coming common. Many organizations are also enhancing SharePoint 
with third-party products or developing their own custom solutions 
on top of it. As more and more content goes into SharePoint, its 
storage footprint also expands. And with plenty being written and 
reported about SharePoint governance, we know that SharePoint is 
starting to mature as a solution. 

By now. I’m guessing that most of you have read something about 
SharePoint disaster recovery. I’m hoping all of you who are in charge 
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of a production implementation already have a solid, tested plan. If 
not, see the Learning Path for some good primers. The goal of this 
article is to go a bit deeper and illustrate how your disaster recovery 
plans need to evolve as your SharePoint implementation matures. 
Specifically, I’ll discuss how disaster recovery is affected by 

• custom code 

• very large content databases 

• Remote BLOB Storage (RBS) 

In my experience, these factors represent the most common compli¬ 
cations for the recovery process. They are also common trends that 
are found in more mature SharePoint implementations. Although the 
information in this article is intended for SharePoint 2010 environ¬ 
ments, most of it also applies to Windows SharePoint Services (WSS) 
3.0 and Microsoft Office SharePoint Server (MOSS) 2007. WSS and 
MOSS don’t support RBS, but a related form, called External BLOB 
Storage (EBS), can be used with SharePoint 2007 SP1 and later. 


Custom Code 

To me, one of SharePoint’s most amazing achievements is its flex¬ 
ibility as an out-of-the-box product. Colleagues of mine often refer 
to SharePoint as a Swiss Army knife or Play-Doh, and I agree: It’s a 
universal tool that can be molded into a seemingly infinite number 
of forms. However, SharePoint’s greatest flexibility comes not from 
its rich UI but from its underlying technology platform. SharePoint’s 
object model (i.e., API) is the technology platform that allows devel¬ 
opers and ISVs to build powerful business solutions. A testament to 
this flexibility is the teeming ecosystem of SharePoint vendors and 
products, which are built on top of SharePoint’s platform. 

Of course, this flexibility has a downside, assuming that we’re talk¬ 
ing about custom code that’s deployed directly to web servers. Such 
code can drastically complicate disaster recovery. Let’s look at a sim¬ 
ple and fairly common situation. 
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Suppose your company is looking for some custom Web Parts to 
use in a knowledge base solution that will be developed in Share- 
Point. The developer team writes the code, tests the Web Parts, and 
deploys them into production. For each Web Front End (WFE), an as¬ 
sembly DLL is copied to the global assembly cache, web.config hies 
are modified, and Web Part-related hies are added to the SharePoint 
root (i.e., 14 hive). Months later, one of the load-balanced WFE serv¬ 
ers crashes and is replaced with a new server, which is joined to the 
farm. The next day, users report sporadic problems with the knowl¬ 
edge base. After a couple hours of troubleshooting, you hnd that only 
requests from this new server are causing the problem. Only then 
do you remember that some custom code had been deployed to the 
original server. After you manually deploy the hies and update web 
.config, the problem is solved. 

Fortunately, a much better solution exists in this scenario. Instead 
of manually deploying code, you can use SharePoint Solution Pack¬ 
ages (WSPs) to automate the deployment of custom code and config¬ 
uration changes. If you use a farm-based solution package for custom 
Web Parts, then custom code is deployed automatically just after the 
server joins the farm. My advice is to require a WSP for any custom 
code deployments. Even better, develop the code as a sandboxed so¬ 
lution (also a WSP) whenever possible. 

What if you have third-party applications installed on the WFE? 
These applications will probably need to be reinstalled. In most cas¬ 
es, you should reinstall them either just before or just after the server 
joins the farm, but check the apps’ installation guides. 

What if you make manual conhguration changes to a server? For 
example, suppose you change the docicon.xml file to add icon sup¬ 
port for PDF files, or you modify web.config for a web application 
that will use forms-based authentication. In these cases, it’s best to 
maintain a log that documents manual changes that are made to serv¬ 
ers. Be sure to save the hie in a recoverable location, not just in 
SharePoint—you might need access to the hie when SharePoint is 
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offline. This way, if the server is ever replaced, you’ll know exactly 
what to do, saving a lot of time and frustration during the recovery. If 
your WFE servers are virtualized, you have the luxury of taking and 
restoring a snapshot. Of course, you can always take a complete OS 
backup of the server, as well. Just be sure that at least one of these 
approaches is part of your recovery strategy. 

Large Content Databases 

In July 2011, Microsoft released revised guidance for sizing content 
databases. (For details, see “ SharePoint Server 2010 capacity manage¬ 
ment: Software boundaries and limits. ”) To summarize, the support¬ 
able limit for a single content database increased to 4TB; there’s no 
explicit limit for document archives such as a record center. Note that 
a number of caveats, including possible changes to the performance 
of your database storage layer and the need to adjust your disaster 
recovery plan, apply to these revised limits. 

With respect to disaster recovery, the problem with large content 
databases is how long they take to back up and restore. As SharePoint 
matures in organizations, it often increases in importance. This impor¬ 
tance usually translates into tighter recovery objectives. In fact, I’m 
starting to hear about cases in which recovery time objectives (RTOs) 
are being reduced to just a few minutes. Yikes! Assuming that most 
recovery operations (excluding the Recycle Bin, of course) start with 
a content database restore, how do you meet your service level agree¬ 
ments (SLAs) when it takes 6 hours just to restore the database? 

The first solution is to do whatever you can to limit the size of your 
databases. In most scenarios, I still recommend that content databases 
be kept on a 200GB diet. When structuring site collections within con¬ 
tent databases, look at your usage patterns and isolate unique patterns 
to separate databases. For example, don’t store your write-intensive 
team sites within the same content database that holds your read¬ 
centric intranet portal. My Sites (remember, each My Site is a site col¬ 
lection) should always be stored in separate content databases—and 
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preferably associated with a separate web application—to better con¬ 
trol in which database new My Sites are created. Large archives, such 
as a record or document center, should each have their own separate 
content databases. With this approach in place, you not only have 
smaller content databases, but you can also choose to back up read¬ 
centric or less-important content databases less often. 

Another solution is to be sure that you deploy SP1 for SharePoint 
2010. One of the service pack’s features is the ability to store deleted 
websites in the second-stage (site-collection) Recycle Bin. Now, when 
that blog site is accidentally deleted, a site-collection administrator 
can restore it. This capability will save you a lot of time and effort. 

As your total content continues to grow, you’ll probably learn that 
SharePoint’s native backup and restore features are just too limit¬ 
ing. It’s often necessary to invest in third-party backup and restore 
solutions to meet SLA requirements. A number of great products are 
available and will pay for themselves if they can help you to recover 
quickly from just one disaster, big or small. These tools are wonder¬ 
ful for day-to-day recovery needs such as item-level recovery, helping 
you meet your recovery objectives. 

Of course, high-availability protection, such as Microsoft SQL Server 
clustering, database mirroring, or SQL S erver 2012’s brand-new AlwaysOn 
feature, should be part of your complete disaster recovery strategy. 
Although these options won’t help when you need to restore content, 
they’ll keep your farm running if a database server goes down. 

Remote Blob Storage 

As content databases grow, so does the underlying storage. With con¬ 
tent databases being stored on premium, tier-1 storage, managing 
storage costs becomes its own challenge. One solution is to use RBS 
to store documents outside the content database in more affordable 
storage, as Figure 1 shows. Not only does this option reduce storage 
costs, but it might also speed your SQL Server machines by offloading 
taxing read/write requests for documents. 
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Figure 1 

How RBS works 


The disaster-recovery challenge is that you now have two entities 
to back up and restore: the content database and the location of the 
external documents, called the BLOB store. With RBS, the content 
database uses pointers to reference the external BLOBs, and these 
pointers must be kept in sync. Although this might sound difficult, it 
doesn’t need to be. Let’s look inside RBS to understand why. 

First, you should know that hies in the BLOB store are immutable, 
meaning that they never change. Editing a document in SharePoint 
creates a new BLOB, rather than replacing the original document in 
the existing BLOB. This process always occurs separately from any 
versioning settings. Deleting a document from a library (and the Re¬ 
cycle Bin) removes the metadata and flags the pointer as deleted, but 
the BLOB is kept for a designated period. Over time, you end up with 
extra, orphaned hies in the BLOB store. 

RBS uses maintenance jobs to clean out old pointers and these or¬ 
phaned hies. This process is called garbage collection and effectively 
resyncs everything. You’re probably asking, what does “old” mean? 
The value is conhgurable and commonly set to 30 days, meaning 
that only hies that are orphaned for more than 30 days are removed. 
This value can be adjusted and is often based on recovery SLAs. 

Having this window (officially called the garbage collection time 
window) is convenient for day-to-day restore operations when using 
RBS. For example, let’s say that a document is accidentally deleted 
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on Monday morning. SharePoint no longer has the document’s meta¬ 
data, but the BLOB hie is still intact. Simply by restoring Sunday 
night’s database backup, you can restore the item’s metadata and 
BLOB pointer, which still points to the existing hie in the BLOB store. 
In other words, you don’t need to restore from the BLOB store. 

In a few scenarios, however, you do need to restore from the BLOB 
store, so you must back it up. These scenarios include a BLOB store 
failure or the need to restore from a backup that’s beyond your time 
window (e.g., 45 days ago). In these cases, recovery is more difficult, 
but these aren’t typical restore operations. 

You can schedule your content database and BLOB store backups 
to run together or back to back. Either way, start the content data¬ 
base backup hrst and schedule it so that it hnishes before the BLOB 
store backup hnishes. If and when you need to restore a database and 
BLOB store together, do so in reverse order; that is, start the BLOB 
store restore hrst and then start the content database backup. 

Many storage providers, such as EMC and NetApp, let you mirror a 
BLOB store. In such cases, your disaster-recovery steps are easier and 
faster. Check with your storage vendor so you know your options. 

If you decide to use RBS, know that features vary among vendors. 
For example, Microsoft offers a free RBS provider called FILESTREAM. 
When FILESTREAM runs in local mode (i.e., when the BLOB store 
is on the local SQL Server instance), a database backup includes the 
BLOBs. However, there are drawbacks to FILESTREAM, such as a 
more challenging installation and maintenance steps. When choos¬ 
ing a provider, do your homework and consider all aspects of your 
environment, including disaster recovery. 

One hnal note: RBS can’t be used to extend Microsoft’s supported 
limits for content databases. For example, externalizing 5TB from a 
single content database that’s used for project team sites would be 
an unsupportable design. When planning your maximum database 
sizes, be sure to include both internal content (the actual database 
size) and external content from the BLOB store. 
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To learn more about the inner workings of RBS, you can download 
the Microsoft SQL Server white paper “Remote BLOB Storage.” To learn 
more about RBS benefits and considerations for its use, see the AvePoint 
white paper “ Optimize SharePoint Storage with BLOB Externalization .” 

Take Control 

Has your SharePoint environment matured to the point where custom 
code, large content databases, or RBS solutions are being considered? 
If not, just give it some time—it probably will. When I talk to enter¬ 
prises and medium-sized companies, one of their top issues is how 
to manage large content databases and whether RBS can help; most 
of these environments also have some form of custom code, whether 
an in-house or off-the-shelf product. But don’t fear: Use these sugges¬ 
tions to take control of SharePoint, before it takes control of you. ■ 
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Windows 8 

Consumer 

Preview 

Find out more about what's in store in the new OS 


T he so-called Consumer Preview version of the next version of 
Windows, code-named Windows 8, debuted on February 29 
(as promised). As with the September 2011 Developer Preview, 
this version is open to the public. But the Consumer Preview offers 
a more feature-complete peek at Windows 8 than did its predeces¬ 
sor. This version’s well-rounded user experiences work not just with 
touch, but also with the mouse- and keyboard-input types that are 
common on today’s PCs. 

How you feel about Windows 8 depends on whether you accept that 
the Apple iPad and its tablet ilk are ushering in a new era of simpler, 
more approachable computing experiences. There’s little doubt that 
Apple’s devices (not just the iPad, but also the iPhone and, to a much 
lesser extent, the Mac) are making huge inroads with both average us¬ 
ers and businesses of all sizes. So Microsoft’s response—what it calls a 
“no compromises” vision for Windows that addresses both the touch- 
friendly, iPad-like future and the more pedestrian, workhorse scenarios 
for which we use more traditional computers—is at least timely. 

It’s also debatable whether the strategy makes any sense. Rather 
than take the more aggressive Apple approach and abandon the past 
for a new, lighter platform, Microsoft has chosen to drag its past (i.e., 
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the Windows desktop environment) kicking and screaming into the 
future. In Windows 8, we see a strange mix of dual—and, dare I say, 
dueling —environments, duking it out for our attention. The result is 
powerful and backward-compatible, but confusing. 


Dueling Desktops 

Figure 1 shows the first of these two interfaces, the Windows desk¬ 
top. This desktop has been spiffed up with a handful of new fea¬ 
tures, including a new Ribbon-based Windows Explorer, a new hie 
copy-and-move experience, a new Task Manager, and integrated 
browsing of ISO and Microsoft Virtual Hard Disk (VHD) disk image 
hies. But Microsoft makes it obvious that this legacy UI now plays 
second hddle. The desktop that we know, love, and understand is 
not where the software giant’s attentions he in this release. 



Instead, up front and center is the second and newer of these two 
user experiences, which (annoyingly) doesn’t even have a proper 
name. I call it Metro because it provides what Microsoft calls immer¬ 
sive, Metro-style experiences: 
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• a new lock screen 

• a new Start screen, which replaces the Start menu that we’ve 
used since Windows 95, as well as the application-launching 
functionality of the Windows 7 taskbar 

• a new runtime environment, called WinRT, which supports new, 
full-screen, Metro-style apps 

• a slew of system-level UIs that cross between both UIs 

Is it a mess? You bet it is, but in some ways it’s a beautiful mess. 
Metro, which Figure 2 shows, is attractive. And although power users 
will shudder at the thought of its full-screen apps and experiences, the 
Consumer Preview proves that this environment works well with mouse- 
and keyboard-based machines, as well as with the touch-based tablets 
and hybrid devices. Microsoft has extended the Developer Preview’s 
touch-based edge UIs, in which users swipe the edges of a touch screen 
to accomplish various actions, with a full selection of screen-corner 
hotspots (for mice) and keyboard actions and shortcuts. It all works 
surprisingly well—once you figure out what’s going on. 
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Metro-style Start 
screen 
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Switcher 


One key to this system is that certain Metro experiences, such as the 
Start screen, PC settings, and Metro-style apps, are available whether 
you’re in Metro or in the desktop. These include a new application 
switcher called, logically enough, Switcher, which Figure 3 shows; 
the new Start experience, which replaces the old Start button; and 
charms, a curiously named but useful set of system capabilities that 
includes Search, Share, Devices, and Settings. Charms are powerful, 
as it turns out, and context-sensitive. For example, when you access 
Settings from the desktop, you see desktop-related settings options; 
when you access Settings from a Metro-style app, you see settings 
that are relevant to that app. 

The interaction between Metro and the desktop might be confus¬ 
ing at first. It might help to consider the desktop as an app of sorts, 
something that runs underneath Metro rather than alongside it. That 
isn’t what’s really happening, at least not technically. But when you 
consider that the desktop environment was essentially the OS in pre¬ 
vious Windows versions, you really do need a way to wrap your mind 
around its subservient nature in Windows 8. 
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The Metro Experience 

So, the desktop works mostly as it did before, aside from the previ¬ 
ously mentioned additions and a handful of UI deletions to accommo¬ 
date the Metro UI. The real changes in Windows 8 come via that new 
Metro user experience. And it makes itself known from the get-go: 
Setup has been updated yet again, to be faster and sleeker. (IT pros 
will note that a handful of configuration options need to be complet¬ 
ed after setup, making the gains there somewhat illusory.) The final 
phase of setup, called the out-of-box experience (OOBE), has been 
significantly updated with a Metro look and feel. 

That new Metro-style user experience carries on from there, with a 
Metro-fied lock screen that will immediately be familiar to Windows 
Phone users (as Figure 4 shows). It has app-notification icons for such 
tasks as email, calendar, and even weather. And unlike the Windows 
Phone version, the desktop version of the Metro interface is extremely 
customizable. You can log on to the PC by using a smartphone-like PIN 
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Windows 8 lock screen 
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Figure 5 

Live tiles with always- 
updating faces 


or picture password, which is fun. But the big news is that non-domain 
users can now log on directly to their Microsoft ID (formerly Windows 
Live ID), instead of linking the accounts later. In Windows 8, this capa¬ 
bility accomplishes a lot, as many settings can be automatically synced 
between PCs that use Microsoft cloud services. (I’ve been told that 
domain users can link their accounts to a Microsoft ID, but I couldn’t 
find the setting to do so in the Consumer Preview.) 

However you sign in, you’re then confronted by the new Metro-style 
Start screen: a full-screen, fully configurable dashboard that contains 
Windows Phone-like live tiles for the Metro and classic Windows 
apps (as well as documents, websites, and other items) that you use 
most often. As with their Windows Phone equivalents, the Windows 8 
live tiles, which Figure 5 shows, are far more graphical and expressive 
than simple icons. For example, instead of a little “4” badge to indicate 
that you have four new email messages, the Mail tile actually cycles 
through a preview of each message. 

Nice! But also potentially overwhelming. With about 16 live tiles or 
so visible on a typical 1366 x 768 screen, you could be looking at a lot 
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of animating and live updating, depending on your configuration. On 
my test tablet, at least six of these tiles are constantly spinning and 
redisplaying. Maybe it's an age thing, but I sometimes find it tiring. 
I suspect youngsters will love it, given their shorter attention spans 
and their penchant for sound bites. 

Admins and IT pros who aren't fans of live tiles should know this: 
The Start screen isn't just fully customizable; it's also fully control¬ 
lable via Group Policy. You can literally create custom-tailored dash¬ 
boards that expose only the apps that your users need to get their 
jobs done. As with any technology, this can be used for good or evil, 
but I do believe that a Windows 8 PC could ultimately prove easier to 
lock down than earlier Windows versions. And that could be a selling 
point, despite the training that this new experience requires. 

What's Up with Apps 

The Metro-style apps that run from the Start screen are, like smart¬ 
phone apps, full-screen experiences. However, many have been 
adapted to work in a unique side-by-side mode, in which the main 
app takes up about two-thirds of the screen and a secondary app 
takes up the rest, as Figure 6 shows. Not all Metro-style apps are 
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custom-tailored for this type of use, but those that are (e.g., Calendar, 
Weather) will be useful for multitasking. And there’s nothing like this 
on the iPad, where all apps are full-screen all the time, making task 
management more difficult. 

Microsoft bundles a number of apps in the Consumer Preview, but 
the company has indicated to me that this selection doesn’t neces¬ 
sarily represent what will be available in the final product, but rather 
what most users will see preinstalled on most PCs. This information 
tells me that the apps that fall neatly into the Bing and Windows 
Live categories—Maps, Weather, Finance, People, Photos, Calendar, 
Mail, and so on—will likely be bundled as Windows Live Essentials 
is today. That is, most new PCs will probably include these apps with 
Windows 8, but those who manually install the OS will need to get 
them manually (and for free) from the Windows Store. 

Although all these apps represent a major step up from the intern- 
created sample Metro apps that Microsoft bundled with the Developer 
Preview (none of which are available now), few stand out. The Bing 
and Windows Live apps, in particular, are clearly labeled as App 
Previews, meaning that they are incomplete. Microsoft tells me that 
its developers only got started on Windows 8 apps with the Developer 
Preview last fall, so the App Previews are at least six months behind 
the rest of the OS. And it shows. These apps are incomplete, lack ob¬ 
vious configuration options, and are often buggy. 

Some are at least attractive. Finance (Figure 7) and Weather, both 
Bing apps, are simply beautiful. And Windows Phone users will ap¬ 
preciate that Microsoft has taken the Windows Phone apps for Mail, 
Calendar, People, Photos, and Videos and updated them for the 
increased real estate and landscape orientation of the Windows 8 
screen. This is something that Apple has never done effectively with 
most iPad apps, which mostly just resemble bigger versions of the 
equivalent iPhone apps. (Yes, Apple lovers, there are exceptions, but 
Microsoft’s work here is more consistent across apps and looks better 
on the big screen.) 
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Figure 7 

Bing Finance app 


As with mobile-device app stores, Microsoft will require that 
consumers find, download, and purchase all Metro-style apps for 
Windows 8 through a single online service, called the Windows Store, 
which Figure 8 shows. This store is in itself another amazingly attrac¬ 
tive app. More important, it provides a nice way to discover, down¬ 
load, and manage your apps. Only free apps are currently available, 
but the selection is growing week by week. Microsoft will enable paid 
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apps—which can come in trial versions, another feature that the iPad 
lacks—by the time it finalizes Windows 8. And businesses will be able 
to host their own internal apps in a private part of the store. Naturally, 
Microsoft understands the unique needs of businesses. 

The Real Question 

Ultimately, I keep coming back to the same question: Does a single OS 
with two user experiences—Metro and the desktop—make sense? I just 
don’t know, not yet. In a bid to find out, I’ve installed the Consumer 
Preview on all my regular-use machines and will be using only 
Windows 8 going forward. (I’ve written more than 40 articles about 
the Windows 8 Consumer Preview so far. You can find them all on the 
Windows 8 landing page on the Supersite for Windows .) For now, I can 
say that the Metro environment makes plenty of sense for tablets, where¬ 
as the desktop is likely to continue to rule on traditional PCs. Given the 
Windows 8 release schedule, that might need to be enough. ■ 
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Managing 

Security 

Dependencies 

on Windows Networks 


Make your infrastructure more resilient 


S ecuring critical IT infrastructure and sensitive data is a top 
priority for most administrators. However, even with the best 
security measures in place, servers can’t be run in complete 
isolation. Ideally, key IT systems should never depend on the secu¬ 
rity of less critical devices. But computer networks are complex, and 
unwanted dependencies might go unaccounted for or appear at un¬ 
expected moments. 

Security should be approached with the premise that your network 
is already compromised—you just don’t know it yet. So it makes sense 
to understand how endpoint security can affect crucial IT services. 

What Is a Security Dependency? 

Domain controllers (DCs) provide security services for all devices in 
a domain, so if a DC is compromised, you must consider all the de¬ 
vices in your domain to be compromised. Endpoints depend on DCs 
for certain aspects of their security, and this is an acceptable security 
dependency. But if this situation is reversed and a DC becomes reliant 
on an endpoint for its security —that is a dependency that should be 
eliminated. 

Access-based dependencies involve users accessing sensitive sys¬ 
tems from a device that has a security issue. A typical example is 
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an IT administrator who connects remotely to a DC from a desktop 
computer that’s infected with a key logger. Another commonly bro¬ 
ken rule of IT security occurs when administrators create administra¬ 
tive dependencies, such as by using a domain admin account to log 
on to a workstation. If the workstation were to be compromised, the 
security of the domain could be put at risk: Cached domain admin 
credentials could be exposed or otherwise intercepted by malware. 
Administrators often create service account dependencies by using 
the same logon credentials to run a Windows service across multiple 
servers. If the credentials are compromised on one server, then the 
security of more than just one machine is in doubt. 

IT administrators aren’t the only ones guilty of committing some 
of security’s cardinal sins. Users can also create undesirable security 
dependencies by using the same username and password for multiple 
systems or by transferring confidential data to a USB drive that isn’t 
authorized for use on the network. 

Protecting Crucial Infrastructure Against Rogue Systems 

Sometimes a company’s Active Directory (AD) domains and crucial 
servers are exposed to systems that are not under your control, such 
as when a contractor connects a netbook to your corporate network. 
In such cases, you can’t be sure whether the device is fully patched, 
protected by antivirus, or running malicious software. You can deploy 
network segregation to help ensure that unknown and rogue devices 
are isolated from your crucial systems, perhaps until such time as the 
health of those systems can be validated by a network access control 
system, such as Microsoft Network Access Protection (NAP). 

You can configure IPsec rules to provide domain and server isolation. 
In this scenario, the identity of each device on a network is validated 
before communications are permitted. In addition, IPsec can provide 
data integrity and encryption. All too often, Windows Firewall is dis¬ 
abled on corporate intranets in the belief that the risks are low and 
that the firewall at the network edge is the most important security 
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protection mechanism. Windows Firewall can ensure that endpoints 
talk to servers and that endpoints are prevented from communicat¬ 
ing with one another. For more information about IPsec server and 
domain isolation, see “ Use IPsec to Isolate a Domain .” 

Eliminating Unwanted Administrative and 
Access-Based Security Dependencies 

All but the most security-conscious small-to-midsized businesses 
(SMBs) are likely to give domain admin rights to new IT support per¬ 
sonnel whose skills and integrity are yet unproven. New staff typical¬ 
ly is given rights to manage every crucial aspect of the company’s IT 
systems and possibly are given unrestricted access to all the confiden¬ 
tial information held therein. CIOs take what seems an unacceptable 
risk because, without advanced planning, it’s the fastest and most 
convenient way to make sure that IT staff can have all the systems 
access that they’re likely to need. 

Organizations should design AD with security in mind, separating 
crucial objects from those that Help desk staff manage on a daily ba¬ 
sis. For example, service account user objects in AD should always be 
in a separate organizational unit (OU) from standard user accounts. 
Taking such a simple step facilitates restricting access to business- 
critical user objects. You can also segregate admin accounts into a 
separate group and set a fine-grained password policy to apply a more 
restrictive password policy for IT staff. 

One of the most overlooked methods of limiting damage is to forbid 
the use of highly privileged domain accounts on endpoints. Microsoft 
recommends that a maximum of two accounts per domain should be 
assigned domain admin privileges. Domain admin credentials should 
never be entered on a machine that isn’t a DC. For example, ad¬ 
ministrators might use their everyday accounts with Remote Desktop 
Client to connect to a DC, entering their domain admin credentials 
and letting Remote Desktop Client store the credentials for quick fu¬ 
ture logons. 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / May 2012 67 




Feature 


A 


Removing Domain Admin Rights from IT Support Staff 

It’s assumed that IT staff will need to log on interactively to DCs and 
workstations. The easiest way to achieve this goal is to assign staff 
domain admin privileges. But with a little bit of planning, there’s 
no reason that domain admin rights should be required to log on to 
workstations with local administrator privileges. And there are other 
ways to manage DCs and AD without logging on locally. 

To prevent malware from intercepting domain admin credentials, 
Microsoft recommends using accounts without domain admin privi¬ 
leges to log on interactively to desktop computers. You can achieve 
this goal easily by creating a new AD group for IT support staff and 
by granting local administrator access to workstations. 

Using an account that has permissions to create groups in AD, open 
Active Directory Users and Computers under Administrative Tools on 
the Start menu. Create a group called Desktop Administrators, then 
add IT support staff user accounts to this group. At this point, you 
can also consider removing any highly privileged access that these 
accounts have, such as Domain Admin group membership. 

Authenticated Users have the Add workstation to the domain right, 
so members of the Desktop Administrators group can add comput¬ 
ers to the domain. But the catch is that there’s a quota, which is 
limited to 10 by default. There are several ways around this prob¬ 
lem: To precreate computer accounts in AD, give IT support staff 
the Create Computer Objects and Delete Computer Objects rights on 
the Computers container, or edit the ms-DS-MachineAccountQuota 
AD attribute. For more information about these methods, see the 
Microsoft article “ Domain Users Cannot Join Workstation or Server 
to a Domain .” 

Once you’ve decided how to overcome the quota for adding 
workstations to the domain, you can configure Group Policy to add 
Desktop Administrators to the Administrators group on your worksta¬ 
tions. Locate the Group Policy Management Console (GPMC) under 
Administrative Tools on the Start menu, and expand your domain 
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in the left pane. Select the OU that contains your computer objects. 
Remember that you cannot link a Group Policy Object (GPO) directly 
to the default Computers container, so you’ll need to create an OU for 
computer objects if you don’t already have one in place. Right-click 
the OU, select Create a GPO in this domain and link it here, give the 
new GPO a name, and click OK. 

In the left pane of GPMC, right-click the new GPO, and then select 
Edit from the context menu. The Group Policy Management Editor 
window opens. In the left pane, expand Computer Configuration, 
Windows Settings, Security Settings, and then right-click Restricted 
Groups, and choose Add Group. Type “Administrators” in the Add 
Group box and click OK. In the Administrators Properties window, 
which Figure 1 shows, click Add (next to Members of this group), and 
enter any local machine groups or accounts that are members of the 
local Administrators group on your workstations. Then click Browse, 
and add Domain Admins and Desktop Administrators. Group Policy 
Restricted Groups overwrites the group membership of the local 
Administrators group on ev¬ 
ery workstation to which the 
GPO is applied. If you need 
more flexibility, you can use 
Group Policy Preferences to 
update rather than over¬ 
write local group member¬ 
ship. Click OK and close the 
Group Policy Management 
Editor. 

Wait for Group Policy to 
refresh on your worksta¬ 
tions, or manually run the 
command 


gpupdate /force 



Figure 1 

Group Policy 
Restricted Groups 
setting 
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on a workstation in the OU to which the GPO is linked. You should 
see that the Desktop Administrators group has been added to the 
local Administrators group on the workstation and that the default 
groups remain in place. This scenario allows IT support staff to log on 
and support desktops with full local administrative access, without 
needing domain admin rights. 

Understanding Cached Credentials and Credential Manager 

Windows stores cached credentials for domain users in a secure part of 
the system registry (HKEY_local_machine\security\cache). Although 
it’s possible to disable caching domain credentials, doing so is extreme¬ 
ly inconvenient in all but the most secure environments—especially for 
notebook users. To get access to this subkey, you need to launch reg- 
edit with SYSTEM privileges. I’m not going to explain how to do that 
here; even if you were to delete the necessary registry values, Windows 
would just stop caching credentials. The registry values are not de¬ 
signed to be accessed or deleted manually, so they’re best left alone. 

Although the cache cannot be cleared, you can delete usernames 
and passwords that are protected by the Credential Manager API, 
which allows applications such as Remote Desktop Client to securely 
store credentials for each Windows user. To get quickly to the Stored 
User Names and Passwords dialog box, which Figure 2 shows, enter 

rundll32.exe keymgr.dll, KRShowKeyMgr 

at a command prompt. In this dialog box, you can add, remove, or edit 
the stored credentials and back up and restore credentials if required. 
To get to a newer version of the interface in Windows 7, choose User 
Accounts, Credentials Manager from the Control Panel. 

Service Accounts 

Microsoft recommends using the built-in Local System account for 
third-party services, but many organizations opt to use an AD user 
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Figure 2 

Stored User Names and 
Passwords dialog box 


account so that only the required privileges can be granted. This ap¬ 
proach provides some damage limitation should the service be com¬ 
promised. However, it also introduces the complexity of managing 
the account’s password, which should be changed on a scheduled 
basis, just like any other user account password. Whenever possible, 
service accounts should be configured for least privilege, and you 
should always question the need for a service to have domain or local 
admin rights. 

In Windows Server 2008 R2, Microsoft introduced managed service 
accounts (MSAs), which work like AD computer accounts in that 
passwords are assigned and reset automatically. These accounts can 
be created only by using Windows PowerShell and aren’t supported 
by all third-party services. MSAs must be installed on a computer and 
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by design, can be associated with only one device, and therefore can’t 
be used in cluster-failover scenarios. When you configure a service 
to use an MSA, leave the password boxes blank. For more informa¬ 
tion about how to set up these accounts, see “ Use MSAs to Ease the 
Pain of Administering Service Accounts .” (Note that the next release 
of Windows Server—Windows Server 8—will introduce group MSAs, 
which will remove these restrictions.) 

Best Practices for Damage Limitation 

Remember the importance of least-privilege security, which applies 
equally to servers and PCs. Removing administrative rights from IT 
support staff and users helps to minimize the damage, should mal¬ 
ware find its way onto a device. Third-party solutions, such as Avecto 
Privilege Guard and BeyondTrust PowerBroker, provide more sophisti¬ 
cated privilege-management functionality than is available out-of-the- 
box in Windows. These solutions can be used to solve least-privilege 
security challenges quickly and to provide more granular control than 
would otherwise be possible. Application whitelisting is also essential 
to block unauthorized applications in a user’s logon session, especially 
considering that antivirus is not always effective at detecting threats. 

Never enter sensitive credentials on a system that an untrusted per¬ 
son has used or might use or that could be exposed easily to malware. 
Manage sensitive computers, such as DCs, from dedicated manage¬ 
ment workstations and use AD delegation and OUs to separate ob¬ 
jects that are crucial for running business systems from those that 
support staff can manage on a regular basis. And in the case of a 
virus outbreak or other malicious attack, following the advice in this 
article will make your IT infrastructure more resilient. ■ 

InstantDoc ID 142470 
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Defragment and Shrink 

VMware 

Workstation Disks 

Cleaning up bloated disks is a snap 

F or years. I’ve used VMware Workstation for software testing, 
technical support, and application virtualization. I’ve learned 
that over the course of many cycles of use—particularly OS up¬ 
grades—the real disk space that a virtual disk uses can grow well be¬ 
yond its virtual space, possibly degrading performance. The VMware 
Workstation graphical tools can’t always recapture this space, but you 
can clean up bloated disks by using a specific procedure and some 
downloadable VMware tools. 

No Snapshots or Linked Clones 

Let’s start with an important caveat. If you’re using snapshots or 
linked clones in VMware Workstation, then do not use the proce¬ 
dures that I outline here. Virtual machines (VMs) that run from a 
snapshot or a linked clone run from virtual disks that are overlays for 
the original VM. If you attempt to defragment the original VM or a 
clone, you add a great deal of complexity, ensuring that you’ll actu¬ 
ally experience worse performance. Overlays already minimize the 
amount of space that’s used for virtual disks; you’re likely to increase 
the amount of space that’s taken for the cloned disk. 

Note that it’s OK to use the techniques in this article to clean up 
what VMware calls full clones. A full clone is created from a complete 
copy of the original source VM but is not tied to it. If you aren’t certain 
whether a VMware machine is a clone, snapshot, or source, then look 
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at the machine details in VMware Workstation. Clones and snapshots 
explicitly mention the clone or snapshot source, as Figure 1 shows. 
The machine in Figure 2 is unlinked and simply shows the VMware 
Workstation version. 


Figure 1 

Machine details fora 
clone machine 


XPPro3 LC1 


State: 

Powered off 

Guest OS: 

Windows XP Professional 

Location: 

D: \data \Virtual Machines \Clones \XPPro 3-LC l\XPPro 3 -LC1. vmx 

Version: 

Workstation 6.0 virtual machine 

Clone of: 

C: V3ata\Virtual Machines\WXPP03\WXPP03.vmx 


Figure 2 

Machine details for an 
unlinked machine 


Win7x64 - 

de 

State: 

Powered off 

Guest OS: 

Windows 7 x64 

Location: 

D:\data\Virtual Machines\Win7x64-de\Windows 7 x64.vmx 

Version: 

Workstation 6.5-7.X virtual machine 


Do I Need to Defragment My Virtual Disks? 

Fragmentation-related performance and size issues for a virtual disk 
vary, based on multiple factors. I use two simple rules of thumb. 

First, if I think I see a significant performance loss in a VM, then the 
machine might need cleanup. Second, I compare the size of the Virtual 
Machine Disk Format (VMDK) hie in which the disk resides to the 
amount of space that the VM internally reports is used for the drive. This 
comparison will not work as a measure if your VMware disks use pre¬ 
allocated space. Fixed disks still benefit from defragmentation, but the 
VMDK hie will always be the maximum possible size for the VM disk. 

To hnd the space that the hie uses directly, right-click the VM in the 
VMware Favorites list, and choose Settings from the context menu. In 
the Virtual Machine Settings window that opens (as Figure 3 shows), 
select the hard disk under the Device column on the left (under the 
Hardware tab). Then, look in the Capacity area in the right half of 
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Virtual Machine Settings 


Hardware Options 


Device 

Summary 

£ Memory 

256 MB 

Processors 

1 



©CD/DVD (IDE) 

Using drive G: 

Network Adapter 

Bridged 

©USB Controller 

Present 

$ 1 Sound Card 

Auto detect 

^Display 

Auto detect 


Disk file 


Windows 2000 Professional.vmdk 


Capacity 

Current size: 6.6 GB 
System free: 81.2GB 
Maximum size: 16 GB 

Disk information 

Disk space is not preallocated for this hard disk. 
Hard disk contents are stored in a single file. 


| Utilities ▼ | Advanced... 


Figure 3 

Virtual machine 
settings 


the window. The Current size value shows the current size of the file 
on disk. Next, boot the guest OS and find the amount of space that it 
claims is in use. If the guest OS reports a significantly smaller usage 
than is listed for the VMDK file, you’ll probably benefit from defrag¬ 
menting and shrinking the disk. 

Step 1: Clean Up from the Guest OS 

The first step is to defragment the disk from within the guest OS. 
This is probably a good time to perform general maintenance such 
as OS and application updates. (When performed, these updates im¬ 
mediately cause some fragmentation and increase used space.) After 
defragmentation, shut down the VM. 

Step 2: Use VMware Tools to Defragment and Shrink 

Although VMware Workstation has options for mounting and shrinking 
a virtual disk via the Utilities button in the Virtual Machine Settings win¬ 
dow, these options rarely have a significant effect on the virtual disk size. 
For example, I had a Windows 2000 Professional VMDK file with lots of 
slack space. The Win2K guest reported that it was using only 2.31GB of 
space, but the disk file took up 6.6GB. Using the GUI tools did not reduce 
the space requirements on the disk. Instead, I recommend that you use 
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VMware’s downloadable command-line tools, vmware-vdiskmanager 
and vmware-mount, to radically shrink the disks. 

To begin, you need to get the tools from the VMware website . You’ll 
need to register with VMware, and then search for the tool download. 
On Windows 7 running VMware Workstation 7.1, I use the VMware 
Virtual Disk Development Kit (VDDK), which includes both tools. 
Install the VDDK, and make sure to take note of the folder in which 
the VDDK is installed. On 32-bit Windows systems, that folder is typi¬ 
cally something like C:\program files\vmware\vmware virtual disk 
development kit\bin; on 64-bit Windows systems, it will be some¬ 
thing like C:\program hies (x86)\vmware\vmware virtual disk devel¬ 
opment kit\bin. Now you’re ready to start: 

1. Use an account with administrative privileges to open a com¬ 
mand prompt. 

2. Use the command 

pushd 

to set your current directory to the VDDK folder, as the code at 
callout A in Listing 1 shows. This step ensures that the VMware 
tools—and more importantly, their supporting DLLs—are at 
the front of the command search path. If you’re running 64-bit 
Windows, I strongly advise performing this step as instructed, 
even if you think you know a better way. If other paths are 
searched first, the VMware virtual disk-mounting tool, vmware- 
mount, frequently fails. 

3. Defragment the virtual disk hie by using the VMware tools. At 
the command prompt, run the command 

vmware-vdiskmanager 

with the -d (for defragment) option and the complete path to 
the virtual disk hie. The code at callout B in Listing 1 shows 
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Listing 1: ShrinkVmdk.cmd 


A 


B vmware-vdiskmanager -d "e:\Win2k Pro\W2kProDiskl.vmdk" 

£vmware-mount Z: "e:\Win2k Pro\W2kProDiskl.vmdk" 

D :: Prepare using the drive letter, not the path, 
vmware-vdiskmanager -p Z: 


^vmware-mount -d Z: 

F :: Now, shrink the VMDK file, 
vmware-vdiskmanager -k "e:\Win2k Pro\W2kProDiskl.vmdk" 


:: WARNING - the next two lines are ONE line 
that wraps in print, 
pushd "C:\Program Files (x86)\VMware\ 

VMware Virtual Disk Development Kit\bin" 



Download 


Download the code 


this command for a VMDK file at E:\win2k pro\w2kprodiskl 
.vmdk. 

4. At this point, you need to map the file as a disk, by using 
vmware-mount. You must specify an unused drive letter and 
the path to the VMDK hie. The code at callout C in Listing 1 
maps drive Z to the W2kProDiskl.vmdk hie. 

5. To prepare the disk for shrinking, use the command 

vmware-vdiskmanager 

with the -p (for prepare) option and the drive letter of the drive 
on which the VMDK hie is mounted, not the path to the VMDK 
hie. Using the wrong drive letter is the second source of prob¬ 
lems for hrst attempts at disk shrinking; this is the only point 
at which you depend on a drive letter. The code at callout D 
in Listing 1 shows the correct procedure for a hie that you’ve 
mounted as disk Z. You’ll receive a continuously updated 
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percentile display that tells you about the progress in wiping the 
disk. What’s being wiped isn’t the disk as a whole, but the blank 
space in the hie. 

6. Next, unmount the disk by using the command 
vmware-mount -d 

as shown at callout E in Listing 1. With this command, “d” is for 
“dismount.” 

7. Finally, shrink the VMDK hie by using the command 
vmware-vdiskmanager -k 

as shown at callout F in Listing 1. Here, “k” is a mnemonic for the 
word “shrink”; the letter “s” is used for another option. 

At this point, you’re hnished. The technique can be extremely ef¬ 
fective. The Win2K disk hie that I mentioned earlier—the one that 
took up 6.65GB of space when the guest OS was using only 2.3GB of 
space—shrank to only 2.32GB. You can repeat this process for each 
guest OS that’s taking excessive space. 

Step 3: Defragment the Host Disk 

As a hnal step to improve performance, from the hosting OS, defrag¬ 
ment the physical disk on which the VMs reside. If you have perfor¬ 
mance or space problems because of fragmentation of guest drives, 
this step should resolve the problem. 

Automating Disk Shrink 

Although I hnd it simplest to perform guest OS maintenance manu¬ 
ally when needed, the VMware disk defragmentation and shrinking 
operations can be automated easily. (They work from the command 
line anyway.) 
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The batch hie ShrinkVmdk.cmd can be downloaded to automate 
step 2 of the previous process. The one assumption that this hie makes 
is that drive Z is unused; if this isn’t true, you’ll want to modify the 
line 

set tmpdrive=Z: 

near the top of the batch hie, to point to a free drive letter. 

After you’ve installed the VDDK, you can start an elevated 
command-line window and run the script with the complete path to 
the VMDK hie that you need to defragment. Using the batch hie, you 
can defragment the sample virtual disk hie by using the command 

shrinkvmdk "E:\Win2k Pro\W2kProDiski.vmdk" 

In my experience, VMware’s virtual disks are generally trouble-free 
and don’f regularly need significant cleanup. However, when you do 
find that a virtual disk is eating up excessive drive space, you can use 
this process to quickly resolve the problem. ■ 
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Administering SharePoint with Windows PowerShell: 
Zero to Sixty in Three 


Want to get up to speed, fast, with PowerShell? SharePoint MVPs Dan 
Holme and Gary Lapointe join forces to accelerate your learning curve 
in this one-of-a-kind workshop, live and online. You'll be working at 
full throttle, administering and automating SharePoint configuration 
and management, by the end of three intensive and highly practical 
sessions. 



Session 1: A Practical Jlimp Start to Administering SharePoint with 
Windows PowerShell 


Session 2: Go Beyond the Management Shell with SharePoint and 
Windows PowerShell 

Session 3: Automating SharePoint Administration with Windows 
PowerShell . ' * . * . * * ’ 
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Using Shared 

Mailboxes with 
Office 365 

Added value without added cost 


E very Microsoft Exchange Server or Exchange Online adminis¬ 
trator knows about regular mailboxes. But how many know 
that they can add shared mailboxes to their deployment, at no 
cost? Making effective use of shared mailboxes can add a great deal 
of value, whether in an on-premises Exchange Server organization or 
a Microsoft Office 365 tenant domain. 

What Is a Shared Mailbox? 

As defined in the Microsoft article “ Understanding Recipients ,” an 
Exchange shared mailbox isn’t associated with a primary user. Rather, 
this type of mailbox is “generally configured to allow logon access 
for multiple users.” In other words, a shared mailbox is a functional 
mailbox that one or more users access for a specific purpose. 

For example, suppose you ran a doctor’s office. You could have a 
shared mailbox called Appointments, which you could use to send 
appointment reminders to patients (rather than sending the messages 
from the doctor’s personal mailbox). In the same way, a consulting 
company such as mine could have a shared mailbox called Billing or 
Invoices, used to dispatch invoices to customers. In these scenarios, 
the users who have access to the shared mailboxes are called del¬ 
egates. Before these users can work with the shared mailboxes, an 
administrator must delegate the rights to access and send mail by 
using those mailboxes. 
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Unlike regular mailboxes, users cannot log on to shared mailboxes 
because the Active Directory (AD) accounts that link to these mailbox¬ 
es are disabled. Office 365 customers don’t need to buy subscriptions 
for shared mailboxes, and on-premises Exchange customers don’t 
need CALs to use shared mailboxes. However, in both instances, the 
delegates who access the mailboxes must be properly licensed. Apart 
from the licensing and logon differences, shared mailboxes work in 
the same way as regular mailboxes. You can assign an archive mail¬ 
box or apply a retention policy to a shared mailbox. See the Microsoft 
Exchange Licensing FAQ for additional details about licensing for 
shared mailboxes. 

Creating a Shared Mailbox 

The version of the Exchange Control Panel (ECP) that is provided for 
Office 365 tenants doesn’t support the creation of shared mailboxes. 
Luckily, you can easily use the Exchange Management Shell (EMS) 
for this purpose. I recommend that you follow the steps in MVP Brian 
Desmond’s blog to create a Windows PowerShell profile that contains 
a function that does all the work of setting up a new remote manage¬ 
ment session with Office 365. 

After you’re connected to Office 365, you can run the following 
steps to create the new shared mailbox and to configure it so that 
users can open it and send email from it. You will need to be a mem¬ 
ber of the Organization Management or Recipient Management role 
group to run these cmdlets: 

1. Run the New-Mailbox cmdlet to create the shared mailbox. 

Make sure to pass the -Shared parameter to mark the mailbox 
as shared. The only other parameter that you need to pass is the 
name of the shared mailbox. 

2. Run the Add-MailboxPermission cmdlet to delegate the 
FullAccess right to the mailboxes that you want to access the 
shared mailbox. This delegation allows the mailbox users to 
open the shared mailbox via Microsoft Outlook or Outlook Web 
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App (OWA). You can also grant access to a Distribution Group 
(DG); all the members of the group inherit the access. 

3. Run the Add-RecipientPermission cmdlet to assign the SendAs 
right to users who you want to be able to send new messages 
from the shared mailbox. This cmdlet is unique to Office 365; in 
Exchange 2010, use the Add-MailboxPermission cmdlet to com¬ 
plete this task. 

4. If you need an archive for the shared mailbox, run the Enable- 
Mailbox cmdlet for the mailbox and include the -Archive 
parameter. 

You can perform steps 2, 3, and 4 by using Exchange Management 
Console (EMC) wizards if you run a hybrid on-premises/cloud 
Exchange organization. 

Figure 1 illustrates the steps to create a new shared mailbox named 
Billing: assigning FullAccess and SendAs rights to my mailbox. After 
the new shared mailbox is created, you can manage it through ECP, 
as if it was a typical mailbox. For example, you can edit the properties 
of the shared mailbox to add details such as the department. 



Accessing a Shared Mailbox 

If you use Outlook 2010 or 2007, you don’t need to do anything to ac¬ 
cess a shared mailbox after the FullAccess right is assigned to you. The 
next time that the Autodiscover function runs, it will detect that your 


Figure 1 

Using EMS to add a 
new shared mailbox to 
Office 365 
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Figure 2 

Shared mailboxes 
listed by Outlook 


mailbox can open the shared mailbox and will provide Outlook with 
the mailbox details. Microsoft made a change to Autodiscover, called 
auto-mapping, in Exchange 2010 Service Pack 1 (SP1) and further 
tweaked it in Exchange 2010 SP2. This change allows an administrator 
to provide a new, optional parameter to the Add-MailboxPermission 
cmdlet to tell Autodiscover not to map a shared mailbox for Outlook. 
Office 365 doesn’t support earlier Outlook versions, but you can con¬ 
nect an Outlook 2003 mailbox to a shared mailbox on an Exchange 
2010 server by manually adding details of the shared mailbox to the 
Outlook profile. 

Outlook 2010 and 2007 clients run Autodiscover in a background 
thread each time they start and every 60 minutes thereafter, to ensure 
that clients always connect to the right resources. To pick up the new 
shared mailbox, you can either exit and restart Outlook, or you can 
wait until Autodiscover runs again, which should take no longer than 
60 minutes. In either case. Outlook receives the information about 
the new shared mailbox from Autodiscover, automatically opens the 

shared mailbox, and lists it in the 
resources that are available to you. 
Figure 2 shows the list of resourc¬ 
es that are available to me when I 
start Outlook. You can see that the 
Billing mailbox is listed, along with 
its archive. 

OWA doesn’t use Autodiscover, 
so you need to open a shared mail¬ 
box each time you want to access 
its contents. To open a shared mail¬ 
box in OWA, click the name of your 
mailbox in the upper-right corner 
to reveal a set of options, then se¬ 
lect Open Other Mailbox. Input the 
name of the mailbox that you want 
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to open, press Ctrl + K to have Exchange validate the name, and then 
click Open. OWA opens the shared mailbox instead of your regular 
mailbox. 

Sending Mail from a Shared Mailbox 

The FullAccess right gives you the ability to open a shared mailbox 
and manipulate its contents, including the ability to create and save 
a message. However, you must also possess the SendAs right before 
you can send a message. Therefore, you need to run both the Add- 
MailboxPermission and Add-RecipientPermission cmdlets. 

To use Outlook to send email on behalf of a shared mailbox, cre¬ 
ate the message as you normally would, and then select the name 
of the mailbox that you want to send from. To do so, simply click 
the From held in the message header. Outlook 2010 always displays 
this held when more than one mailbox is conhgured in a prohle, but 
you’ll need to select the Show From field option to reveal the held in 
Outlook 2007. 

By default, your regular email address is shown in the From held. 
Click the button to select from the mailboxes that you have used be¬ 
fore, or click Other Email Address and then select any mailbox from 
the Global Address List (GAL). Outlook puts the email address of the 
selected mailbox into the message header. You can validate the ad¬ 
dress by reviewing the message properties, as Figure 3 shows. 

Who Sent Mail? 

Both Exchange 2010 and Office 365 allow you to audit messages that 
delegates, using the SendAs right, send from shared mailboxes. To do 
so, use the mailbox auditing feature that was introduced in Exchange 
2010 SPl.This useful feature helps to protect the integrity of sensi¬ 
tive mailboxes, such as those that are used by senior executives or 
that contain confidential information, such as discovery search mail¬ 
boxes. The feature can also help to answer the question of who sent 
a message from a shared mailbox. 
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Figure 3 

Name of the shared 
mailbox in the 
message header 


Properties 




Im^ortan 

Sensitivit 


ce: Normal -*■ JCT3 1 _Encrypt message contents and attachments 

L -—*S n Add digital signature to outgoing message 

y: Normal 

1 _| Kequesi s/mimc receipt ror mis message 

J Do not AutoArchive this item 

.a*| 1 [ Request a delivery receipt for this message 

(juS Cl Request a read receipt for this message 


Have replie 

J Expires 

s sent to: 

after: None 00:00 


Contacts... 


Categories ▼ 

None 

Internet headers: 


To: 'tony.redmond@live.com'' <tony.redmond@live.com> 

Subject: New bill for your attention 

Thread-Topic: New bill for your attention 

Thread-Index: AczQeOS70W8iNP7+S0SxdRivZXYHZg= = 

Date: Wed, 11 Jan 2012 15:51:36 +0000 

Message-ID: <5EF42BB02DCD9F4CAED6E3A2F5480A7D4D8CD383 

Close 



Mailbox auditing is disabled by default; you don’t necessarily want 
audit entries to accumulate without good reason. Therefore, the first 
step is to enable auditing for selected shared mailboxes. No ECP UI is 
available for this task, so run the Set-Mailbox command 

Set-Mailbox -Identity "Billing" -AuditEnabled $True 

Users or delegates are unaware when mailbox auditing is enabled. 
Auditing is performed for whichever actions you select. The SendAs 
action, which is the one we’re interested in for this example, is among 
the default set of actions that are always audited unless an admin¬ 
istrator opts to exclude them. Each action is stored as an audit item 
and is held for 90 days—a limit that you can configure by setting 


86 Windows IT Pro / May 2012 


WWW.WINDOWSITPRO.COM 
















































Office 365 Shared Mailboxes 


the AuditLogAgeLimit property—in the Recoverable Items\Audit sub¬ 
folder in the mailbox for which auditing is enabled. Regular clients 
such as Outlook and OWA can’t access this location, although it can 
be accessed by using utilities such as MFCMAPI . 

Regretfully, Exchange doesn’t provide any nicely packaged utili¬ 
ties to search audit log entries. Therefore, we must use the Search- 
MailboxAuditLog cmdlet . Here’s a simple example that scans the 
Billing shared mailbox for any audit entries that indicate delegate- 
sent messages: 

Search-MailboxAuditLog -Identity "Billing" -ShowDetails | 

Where {$_.Operation -eq "SendAs"} | Format-Table Operation, 
OperationResult, LogonllserDisplayName, ItemSubject, 
LastAccessed -Auto 

You can see the result of this code (which should be entered as one 
line) in Figure 4. This figure clearly shows that I’m the culprit who 
sent the offending message from the Billing mailbox. 



Figure 4 

Scanning a mailbox 
audit log for SendAs 
entries 


Where Things Go 

Copies of messages that a delegate sends are stored in the Sent 
Items folder of the delegate’s default mailbox. Even though this ar¬ 
rangement caused much grumbling from users, it’s how Exchange 
and Outlook have worked for years. Eventually, Microsoft got the 
message and introduced a registry option in Outlook 2010 SP1 and 
Outlook 2007 SP2. If you want Outlook to store sent messages in the 
Sent Items folder of the shared mailbox, then update the registry 
by adding the new DWORD value HKCU\Software\Microsoft\Office\ 
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[version] \Outlook\Preferences\DelegateSentItemsStyle, where [ver¬ 
sion] is 12.0 for Outlook 2007 or 14.0 for Outlook 2010. If the value 
is missing or is set to 0 (zero), then Outlook behaves as before. Set 
the value to 1 (one) to make Outlook change the location in which 
it keeps sent items. 

A similar issue exists with items that a delegate deletes from a 
shared mailbox. Logically, you might think that these items would 
go into the Deleted Items folder of the shared mailbox. But by de¬ 
fault, Outlook moves such items into the Deleted Items folder of the 
delegate’s mailbox. Fortunately, another registry fix is available to 
force Outlook to move deleted items into the Deleted Items folder of 
the shared mailbox instead. Insert the new DWORD value, at HKEY_ 
CURRENT_USER\Software\Microsoft\Office\[version] \Outlook\ 
Options\General\DelegateWastebasketStyle, and set the value to 4 
(four). If would be nice if Microsoft had used keys in the same reg¬ 
istry location to control both preferences for delegate behavior, but I 
suppose the fixes might have been made by two different teams. (And 
as always, modify the registry at your own risk!) 

Other Types of Non-Standard Mailboxes 

In addition to regular and shared mailboxes. Exchange 2010 supports 
special-purpose mailboxes that are used to book rooms and equip¬ 
ment. In effect, these are different kinds of shared mailboxes. ECP for 
Office 365 doesn’t allow you to create these types of mailboxes either, 
but again, it’s easy to do with EMS. 

Room and equipment mailboxes are scheduled by including them 
as a resource in a meeting request. You never log on to these mailbox¬ 
es or their associated accounts; the only folder that’s used in these 
mailboxes is the Calendar folder. 

You don’t need to pay for an Office 365 subscription to create and 
use room and equipment mailboxes. To create a new room mailbox, 
run the New-Mailbox cmdlet and pass the -Room parameter, such as 
I’ve done in this example: 
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New-Mailbox -Name "Office" -Room 

An equipment mailbox is created in a similar manner, using the 
-Equipment parameter instead: 

New-Mailbox -Name "Projector" -Equipment 

Although simply creating the mailboxes is enough to use them for 
scheduling purposes, I also run the Set-CalendarProcessing cmdlet 
to tell Exchange to accept meetings automatically. And I run the Set- 
MailboxCalendarConfiguration cmdlet to tell Exchange in which time 
zone the room or equipment is located: 

Set-CalendarProcessing -Identity "Office" 

-AutomateProcessing AutoAccept 
Set-MailboxCalendarConfiguration -Identity "Office" 

-WorldngHoursTimeZone "GMT Standard Time" 

Behind the scenes. Exchange runs background assistant processes 
to perform various tasks. Setting AutoAccept on a room or equipment 
mailbox means that the Calendar Attendant will update calendars as 
users generate requests; the Resource Booking Assistant will accept 
bookings based on the policy that you apply. For example, you can 
set the properties of a room mailbox so that only specific users are 
allowed to book it. All these approaches work equally well with on¬ 
premises Exchange 2010 servers. 

Room Lists 

Exchange 2010 SP1 introduced the concept of a room list, to help us¬ 
ers navigate through the masses of rooms that are often found in large 
companies. Again, although ECP in Office 365 doesn’t officially sup¬ 
port room lists, there’s nothing to stop you creating lists for use with 
Outlook 2010, which is the only client to support this feature. 
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A room list is simply a special form of DG whose membership is 
composed of room mailboxes. Exchange doesn’t allow you to add 
other kinds of mailboxes to a room list. To create a room list, run the 
New-DistributionGroup cmdlet and pass the -RoomList parameter, as 
this example shows: 

New-DistributionGroup -Name "House Rooms" 

-ManagedBy "Tony Redmond" -RoomList 

This action creates an empty container that you can then populate 
with room mailboxes. Specifying the person who manages the DG 
is useful if you want to assign the task to someone other than an 
administrator. 

Next, add the room mailboxes to the room list by using the Add- 
DistributionGroupMember cmdlet : 

Add-DistributionGroupMember -Identity "House Rooms" 

-Member "Office" 

In effect, this action creates a pointer between each room and the 
room list so that when a user accesses the room list. Exchange knows 
which rooms to display. You can see a list of the rooms in a list by 
using the Get-DistributionGroupMember cmdlet : 

Get-DistributionGroupMember -Identity "House Rooms" 

After you’ve populated your room list, you can use it with Outlook. 
Figure 5 shows the general scheme in action. A drop-down box called 
Show a room list, on the right side of the Schedule Appointment form, 
shows any room lists that are defined in the GAL, as well as any room 
mailboxes that you’ve used to book a room with Outlook. If you click 
the drop-down list and select a room list. Outlook populates the list 
of available rooms with whichever rooms in that list are available at 
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the proposed time for the meeting. You can then select a room and 
add it to the meeting. 

Rooms can be booked as meeting resources with OWA, but OWA 
doesn’t support room lists. Instead, you must select individual rooms 
and add them to the meeting request. Again, all this works nicely 
with on-premises Exchange 2010 as well as Office 365. 

Exchange Online Is Exchange! 

The thing to remember about Exchange Online in Office 365 is that 
it’s really just Exchange 2010 adapted for Microsoft’s hosting environ¬ 
ment. Most features that work for on-premises Exchange 2010 work 
equally well for Exchange Online, even if Microsoft hasn’t yet fully 
exposed them in the ECP GUI. Over time, I’ve no doubt that Microsoft 
will increase the number of features that the ECP supports, but that’s 
no reason to lose out on those features now. So don’t wait: Start using 
all the various kinds of non-regular mailboxes today. ■ 

InstantDoc ID 142386 


Figure 5 

Using a room list with 
Outlook 2010 
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Building a Fully Functioning Windows 7 Deployment 
Solution with Microsoft MVP Greg Shields 


You have Windows 7 licenses, but you're not ready to deploy? Do your 





Windows 7 deployment skills need more than just a training class? If 
so, you're in the right place! 
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That's why in this unique five-day eLearning experience with Greg Shields, 
you'll get more than just training. You'll get training PLUS a production-ready 
deployment SOLUTION that you've built from the ground-up. In five days, 
you'll begin with a basic Windows Server virtual machine and finish with a fully 
functional Windows 7 deployment solution you've constructed yourself. Using a 
unique combination of labs, lecture, and online Q&A, Greg will lead you through 
each of the major steps in building a successful Windows 7 deployment solution. 
You'll learn the key steps in succeeding with your Windows 7 deployment: 


• Gathering and using a hardware, software, and driver inventory. 

• Building images, including every administrator's dream, the Single Image 
That Installs Everywhere. 

• Incorporating deployment mechanisms using multicast, over-the-network, 
and USB sticks. 

• Packaging applications and automatically injecting them into a Windows 
installation. 

• Automating patches and updates to images and applications. 

• Dealing with and actually fixing application compatibility issues. 
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Microsoft System Center 

Operations 
Manager 2012 
Dashboards 

A solid framework now supports integrated dashboards 

M icrosoft System Center Operations Manager 2012 offers sig¬ 
nificant new functionality, including enhanced network 
monitoring and application performance monitoring, as 
well as architectural changes to remove the root management server 
and to add management server pools. These capabilities are all im¬ 
portant, but one of the most interesting investments is Operations 
Manager 2012’s integrated dashboard functionality. 

Dashboard History 

Let’s start with a little history of Operations Manager and dash¬ 
boards. When Operations Manager 2007 was released, its built-in 
dashboard functionality provided a way to display multiple views 
in one dashboard interface. This functionality was useful when the 
Operations Manager console was scoped to a group of users: Their 
views were combined in a single dashboard. However, this type of 
a dashboard wasn’t very flexible and didn’t meet common require¬ 
ments, including 

• a Network Operations Center (NOC) display that shows the health 
of various key applications or websites 
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• a customizable view that shows the health and interrelationship 
of applications that are monitored by Operations Manager 

• the ability to provide custom charts, graphs, or gauges beyond 
those available in the built-in performance view 

Microsoft added Service Level Dashboard 2.0 for Operations Manager 
2007 R2. This solution integrated service levels with Operations 
Manager and used a Microsoft Office SharePoint Server 2007 solu¬ 
tion to display these service levels. The updated display included a 
gauge for the current availability and a historical chart for the service 
level. This solution provided integrated reporting for the Service Level 
Dashboard information and used SharePoint 2007 Service Pack 1 (SP1) 
or Windows SharePoint Services (WSS) 3.0 SP1 to display it. 

Microsoft later provided the Visio 2010 Add-in for Operations 
Manager 2007 R2. The add-in integrated Visio diagrams with 
Operations Manager, using Visio 2010 and SharePoint 2010 Enterprise 
Edition. This technology (or the third-party solution from Savision, 
Live Maps for Microsoft System Center) provided a way to generate 
an NOC view and to display the health and interrelationships of ap¬ 
plications monitored by Operations Manager. 

Microsoft System Center Configuration Manager (SCCM) and Service 
Manager added dashboard functionality through a solution accelera¬ 
tor. This provided a method to generate charts, graphs, and gauges, 
based on queries of data from Microsoft SQL Server databases, includ¬ 
ing the OperationsManager and OperationsManagerDW databases. 

Using these various technologies, a comprehensive solution could 
be developed to meet most dashboard requirements for Operations 
Manager. For more details on Operations Manager 2007 R2 and its 
dashboard solutions, see “ Operations Manager Dashboards .” 

The Framework 

Flash forward to Operations Manager 2012, which introduces a flex¬ 
ible and powerful framework that integrates dashboard solutions 
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directly into the Operations Manager console. A few new terms are 
introduced as part of this functionality: 

• Template—the layout that is defined for a dashboard. Options 
include a column, grid, or Service Level Dashboard layout. 

• Widget—the components that are added into a template to dis¬ 
play data. Widgets can display alert, performance, or state infor¬ 
mation from Operations Manager. 


You build Operations Manager 2012 dashboards directly into the 
Monitoring pane of the Operations Manager console, by creating a 
new dashboard view. When a dashboard view is created, the New 
Dashboard and Widget Wizard starts automatically. This wizard pro¬ 
vides two templates that are used to provide the structure into which 
widgets are added. 

The column layout divides the dashboard into a series of vertical 
sections so that you can add different widgets to the different columns 
of the dashboard. Figure 1 shows a two-column layout in which wid¬ 
gets can be added to the left or right side. The column layout allows 
additional widgets to be added to the bottom of the columns so that 
a user can scroll through the content that the various widgets provide 
in the dashboard. 

The grid layout divides the 
dashboard into one to nine 
cells to which widgets can 
be added. Available layouts 
vary depending on the num¬ 
ber of cells that are specified. 

Figure 2 displays the options 
that are available when you 
use a four-cell grid layout. 

After you specify a dash¬ 
board column or grid tem¬ 
plate, you can add widgets 



Figure 1 

Adding widgets in a 
two-column layout 
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Figure 2 

Options for a four-cell 
grid layout 



to the framework. In addition, you can put other layouts inside the 
template. For example, you can create a two-column layout, and then 
add a grid to one of the columns or subdivide a column into two sub¬ 
columns. Figure 3 shows a two-column layout in which the second 
column contains a four-cell grid. 

The Service Level Dashboard functionality in Operations Manager 
2012 is available as a dashboard layout. This layout provides a quick 
way to display service level information. Figure 4 shows an example 
of a service level that is defined for Operations Manager, with differ¬ 
ent service level objectives based on whether planned maintenance 
is counted as downtime. 

The templates that Microsoft has built for dashboard solutions pro¬ 
vide an extremely flexible framework that can provide a variety of 
dashboard solutions, depending on the available widgets. 
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Figure 3 

Inserting grids in a 
column 


Figure 4 

Defining a service level 


The Wonderful World of Widgets 

After you define a framework for your dashboard, using the available 
templates, you can display Operations Manager data through the ad¬ 
dition of widgets. After creating the dashboard, you add widgets by 
clicking the Click to add widget option, which you can see in Figure 3. 
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Figure 5 

The alert widget 


Six widgets are available in Operations Manager 2012: the alert wid¬ 
get, state widget, details widget, instance details widget, performance 
widget, and objects by performance widget. 

Alert widget. The alert widget provides a way to display alert in¬ 
formation in a dashboard. Alert views can be scoped to a group or 
object to the left of the default view of all objects. Criteria can be 
defined to restrict the view to display only alerts of specific severi¬ 
ties (e.g.. Critical, Warning, Informational], priorities (e.g.. High, 
Medium, Low], or resolution states (e.g., New, Closed, custom reso¬ 
lution states]. Column choices are available for all available informa¬ 
tional fields, from the name of the alert to the custom fields for the 
alert. You can specify the sort order and grouping for the alerts. You 
can also enable the option to display alert details inline. This option 
displays the information for the alert that you highlight in the alert 
widget, as Figure 5 shows. After a widget has been created, you can 
use filtering to display specific data. (The alert widget in Figure 5 dis¬ 
plays only alerts that match the filter “windows server 2008 r2”]. 

State widget. The state widget provides a way to display state infor¬ 
mation in a dashboard. State views can be scoped to include groups or 
objects that you choose. You can specify the class to display (e.g., the 
Windows Computer class]. You can restrict the state view to display 
data only in specific health states (e.g., Healthy, Warning, Critical, 
Not Monitored] or to display only objects in maintenance mode. In 
the state view, you can choose various columns from the available 
informational fields (e.g., the path and health of the object], and you 
can specify the sort order and grouping for the state information that 
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is displayed. Figure 6 
shows a simple state 
view that displays 
the health, display 
name, and mainte¬ 
nance mode informa¬ 
tion for all Operations 
Manager monitored 
systems (both agent 
and agentless). 

Details widget. The 
details widget displays 
the details for the object 
that’s highlighted in the 
dashboard view. For ex¬ 
ample, if an Operations 
Manager agent is high¬ 
lighted, then the de¬ 
tails widget displays 
the display name, path, 
health, object display name, maximum queue size, port, and other 
details for that agent. If an alert is highlighted in the dashboard view, 
then the widget shows the details of the alert, such as the description, 
source, path, monitor or rule, and when the alert was created. 

Instance details widget. The instance details widget is like the de¬ 
tails widget, but the specific group or object it displays data for in the 
dashboard is determined when the widget is added instead of when 
an object is highlighted in the dashboard view. 

Performance widget. The performance widget provides a way to 
display performance information in a dashboard. To add counters to 
a performance widget, choose a group or object and then add one or 
more performance counters. You can add multiple counters, such as 
% Processor Time, PercentMemoryUsed, and % Free Space, to the 
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Figure 6 

The state widget 
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same performance widget. A time range for the performance coun¬ 
ters defaults to 24 hours but can be decreased or increased, up to the 
retention period for the data warehouse. 

The performance widget doesn’t have the same limitation as a 
performance view in Operations Manager. Performance views read 
from the OperationsManager database, in which data is retained for 
a period of 7 days by default. Because the performance widget reads 
from the OperationsManagerDW database, the widget can provide 
data that spans longer periods (up to the retention period of the data 
warehouse, which is 400 days by default). 

You can display various fields in the performance widget, includ¬ 
ing the minimum, maximum, and average values for the performance 
counter. Figure 7 shows % Processor Time for servers in a group over 


Figure 7 

The performance 
widget 
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the past 30 days, ordered by maximum value. This approach makes it 
easier to locate systems that are experiencing high processor utiliza¬ 
tion. The same approach can easily be used to represent history for 
other performance counters, such as % Free Space, and then ordered 
to sort by the minimum value, to identify low disk-space conditions. 

Objects by performance widget. The objects by performance wid¬ 
get provides performance information for the specified object or group 
of objects, based on the performance counter that you specify, for a 
duration of up to 10 days. The widget shows either a specified num¬ 
ber of top or bottom number results. For example, to use this widget 
to create a list of the top 10 disks that have the least amount of free 
disk space on the C drive, as Figure 8 shows, choose the All Windows 
Computer Group and the LogicalDisk / % Free Space / C: counter. 


Objects by Performance (10) 

Figure 8 

Target 

Path Avenge value 

Performance Object 

Performance Coutter 

Performance Instance 

The objects by 

C: 

ftuM 

LogicaiOisk 

% Free Space 

Ci 

performance widget 

Ci 

1*0* 

Logic aJDisk 

^ Free Space 

Ci 


Ci 

CLS7 

LogkriOisk 

% Free Space 

Ci 


Ci 

ujH 

Logie riOtsk 

S Free Space 

Ci 


C: 

HP 

Logie afOuk 

% Free Space 

C: 


C: 

baHHI 

Logie dOisk 

% Free Space 

C: 


Cs 


Logic BlOisk 

% Free Space 

C 


C: 

•Ml 

Logie UOisk 

% Free Space 

Cf 


C: 

•Mi 

Logie iOifk 

% Free Space 

C: 


C: 


logic ilOttk 

% Free Space 

C: 



It appears that Microsoft has made this framework flexible so that 
vendors can write their own widgets for the dashboard framework. 
An example of this is Savision’s Live Maps solution, which can be 
integrated with the Operations Manager dashboard framework (for 
more information about this solution, see the Learning Path). 

Homes for Widgets? 

Another way that Microsoft has made changes to Operations Manager 
2012 is to provide a much more consistent user experience between 
the Operations Manager console and the Operations Manager web 
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console. The new web console is based on Microsoft Silverlight, and 
the Operations Manager 2012 dashboard functions the same in both 
consoles, for a virtually identical dashboard experience. Figure 9 shows 
an example of the Operations Manager 2012 web console, displaying 
examples of the three widgets that I discuss in this article. Microsoft has 
also provided integration for widgets so that they can be displayed in 
SharePoint 2010. Resources for the steps that are required to integrate 
these widgets are included in the Learning Path box. 


Figure 9 

Operations Manager 
2012 web console 



Manipulating Dashboards 

After a dashboard template has been created, you cannot change be¬ 
tween the grid and column layouts. To make that change, you must 
delete the original dashboard and create a new one. 

Although you can’t switch between layouts, you can update the num¬ 
ber of columns and cells in a grid. To change the number of columns in 
a dashboard or the number of cells in a grid, right-click the dashboard 
and change its properties through the Update Configuration Wizard. 
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You can also change the widgets within a dashboard. You can mod¬ 
ify existing widget functionality by using the gear icon on the top 
right of the widget, as shown in Figure 10. Click the icon to access 
these options: 

• Delete Contents—Remove the widget that was added to the 
template. 

• Swap with next widget—Move the highlighted dashboard to the 
next space to the right in the same section of the template. 

• Swap with previous widget—Move the highlighted dashboard to 
the next space to the left in the same section of the template. 

• Configure—Change the configuration of the widget. 

• Personalize—Leave the original widget configuration in place but 
personalize how it works. 

Dashboards are not static. Because of the framework that the 
Operations Manager 2012 dashboards use, they can be updated easily 
after they have been created. 


Learning Path 


For more information 
about Operations 
Manager's features and 
functionality: 

"Introducing Operations 
Manager 2012 Dashboards" 

" Operations Manager 2012 
Dashboards—I he Alert 

Widget " 

" Operations Manager 2012 
Dashboards—Performance 
WidgeF - 

"OpsMgr 2012, Savision & 
Dashboards" 

" How are OpsMgr 2012 
Dashboards Ditterent trom 
Reports? " 

" Using SharePoint to View 
Operations Manager Data” 



Dashboards Currently Available 

At the time of this writing, four dashboards are included in Operations 

Manager 2012. Two are in Networking Monitoring, and two are in the 

Operations Manager Management Pack: 

• Network Summary Dashboard (Network Monitoring)—This dash¬ 
board displays the nodes with the slowest response time, nodes 
with the highest CPU, interfaces with the highest CPU, and inter¬ 
faces with the most send errors (over the past 7 days) 

• Network Vicinity Dashboard (Network Monitoring)—This dash¬ 
board shows the devices in the 
vicinity of the network device, avail¬ 
ability information, properties of the 
node, and average response time. 

• Management Group Health 
(Management Pack)—This 


^ Delete Contents 
* Swap with next widget 
Swap with previous widget 
|j| Configure 
J Personalize 


Figure 10 

Modifying widget 
functionality 
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dashboard (shown in Figure 11) provides the health of the man¬ 
agement group functions and the management group infrastruc¬ 
ture, as well as any active alerts, agent configuration information, 
and agent versions. 

• Management Group Health Trend (Management Pack)—This 
dashboard displays the number of active alerts and the agent 
health state (over the past 7 days). 

More prebuilt dashboards, including those for information from oth¬ 
er Microsoft products, are likely to be added now that Operations 
Manager 2012 has been released to manufacturing. The dashboard 
solutions in Operations Manager 2012 are stored in these manage¬ 
ment packs: 

• Microsoft SystemCenter DataProviders Library—This pack con¬ 
tains the data provider components that receive data from the 
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OperationsManager and OperationsManagerDW databases for 
display in the UI controls. 

• Microsoft SystemCenter Visualization Network Library—This pack 
contains the components and implementation for the majority of 
the network dashboard. 

• Microsoft SystemCenter Visualization Configuration Library—This 
pack contains components that enable personalization and con¬ 
figuration of all dashboards. 

• Microsoft SystemCenter Visualization Network Dashboard— 

This pack contains the definition of the network dashboards 
and references the components in the Microsoft SystemCenter 
Visualization Network Library. 

• Microsoft SystemCenter Visualization Internal—This pack con¬ 
tains internal components that the dashboard UI framework uses. 

• Microsoft SystemCenter Visualization Library—This pack contains 
the majority of the UI controls that comprise the widgets. Widgets 
are used in both the IT Pro dashboard creation and the out-of-box 
dashboards, such as the network dashboards. 

• Microsoft SystemCenter Visualization ServiceLevelComponents— 
This pack contains the Dial service level gauges that are in the 
network summary dashboards. 

Microsoft has done a solid job filling the gap that has existed in the 

Operations Manager product line with a solid framework. This ex¬ 
tensible framework uses templates to define dashboard layouts, into 

which widgets are added. ■ 

InstantDoc ID 141491 
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HTML 5 is all the rage today. 


Learning HTML 5 will ensure that your web applications will work 
across many different browsers. Of course, that is once all browsers 
support HTML 5. But that day is coming sooner, rather than later. In this 
introductory set of webcasts you will learn the new HTML 5 tags to help 
you build better websites. 


You will also learn new tips and tricks in CSS 3. 

Finally you will learn how to add some simple reusable styles to spice up 




http://elearning.left-brain.com/event/from-zero-to-html-5 
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Product News 

for IT Pros 


Veeam Extends Hyper-V Support 

Veeam Software is adding support for Windows Server Hyper-V and 
Microsoft Hyper-V Server to its Veeam ONE solution for VMware. As 
an integrated solution built from the power of Veeam Monitor, Veeam 
Reporter, and Veeam Business View, Veeam ONE is well-suited for 
IT professionals in small-to-midsized businesses (SMBs) that often 
work under budget and staff constraints. In particular, Veeam ONE 
brings capabilities to Hyper-V that address critical virtualization chal¬ 
lenges: real-time monitoring, efficient allocation of resources, docu¬ 
mentation of the virtual infrastructure, and management reporting for 
performance, utilization, and workload. Veeam ONE is framework- 
independent and easy to deploy and manage. Veeam ONE is available 
as a standalone product and also as part of Veeam Essentials and 
the Veeam Management Suite. For more information, visit the Veeam 
website. 



BrightWork 10 for SharePoint 

BrightWork introduced BrightWork 10 for SharePoint, a solution for 
managing work, projects, and portfolios. The BrightWork product de¬ 
livers best-practice templates and reporting dashboards out of the 
box, enabling team members and project managers to organize and 
manage their work and projects, while providing senior managers 
with visibility across portfolios. Highlights of BrightWork 10 include 
a new Project Metrics List that can automatically capture and track 
critical project metrics, assign warning and danger indictors to metric 
values, and visualize how the metrics have evolved over time; three 
new project management templates (Project Lite, Project Standard, 
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and Project Structured); and enhanced reporting with new Periodic 
Status Reports and better Microsoft Project to SharePoint synchroni¬ 
zation. For more information, see the Bright Work website . 

big switch Big Switch Releases Open-Source OpenFlow Controller 

Big Switch Networks released Floodlight, an Apache-licensed open- 
source OpenFlow Controller, as part of its commitment to the open- 
source community around Software-Defined Networking (SDN). 
OpenFlow Controllers are central components of SDN because they 
capture control information from OpenFlow-enabled switches to cen¬ 
trally manage networks. Floodlight offers a powerful platform to com¬ 
mercial developers to build SDN network services and helps network 
administrators experience OpenFlow firsthand. Floodlight will be a 
component of Big Switch Networks’ commercial controller and the 
foundation for additional features and network applications. Floodlight 
is offered under the Apache 2.0 license, the preferred license of en¬ 
terprises according to a recent survey by OpenLogic and the license 
used by other fast-growing projects such as Fladoop and OpenStack. 
For more information, visit the Big Switch Networks website . 



TITUS Protects Sensitive Business Information 

TITUS announced the availability of TITUS Metadata Security Claims 
Edition for Microsoft SharePoint. The latest release of this security solu¬ 
tion for SharePoint enables claims-based authorization using trusted user 
attributes to control access to sensitive content. Microsoft introduced 
support for claims-based authentication in SharePoint 2010. Trusted at¬ 
tributes about a user’s identity, or claims, can be used in SharePoint to 
enhance and enforce policies around user authentication and federa¬ 
tion. By leveraging claims, organizations can go beyond simple user and 
group permissions and utilize the benefits of user attributes to help se¬ 
cure their sensitive information in SharePoint. TITUS Metadata Security 
Claims Edition takes SharePoint security a step further by allowing or¬ 
ganizations to not only use document metadata, but to also use trusted 
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user claims to secure content and enforce policies within Microsoft 
SharePoint. For more information, visit the TITUS website. 


Quest Updates 

NetVault 

FastRecover 

Quest Software 
released NetVault 
FastRecover 4.5, 
which enhances 
the company’s 
continuous data 
protection (CDP) 
capabilities by 
enabling instant 




Quest' NetVault 

FastRecover 


PRODUCT SPOTLIGHT T 


Condusiv Introduces Undelete 10 


Condusiv Technologies (formerly Diskeeper) announced the release 
of Undelete 10, real-time data protection and instant data recovery. 
The Server, Professional, and Client editions of Undelete let you see the 
contents of Recovery Bins on remote computers such as file servers, 
allowing IT or users to recover deleted files across the network with a 
single click of a button. It's no longer necessary to search backup tapes 
or Windows Shadow copies when a user accidentally deletes a file from 
the server. Undelete can also restore files previously purged from the 
Recycle Bin or the Undelete Recovery Bin—even if they were deleted 
before Undelete was installed. 

When a file is deleted, it's automatically captured and stored in the 
Undelete Recovery Bin. Undelete 10 captures all the files the Windows 
Recycle Bin misses, such as those deleted from shared network folders, 


deleted from commonly used applications, deleted by the Windows 
command prompt, or replaced when newerversions of a file are saved. 
Also, if a file is modified several times between a backup or shadow 
copy, it won't be saved. With Undelete, 
these file versions will be saved and are 
recoverable. 

Undelete 10 features single-button 
search for recent files, a new search wiz¬ 
ard, a new Ul, and a "Set it and Forget 
It" mode, and it's available in Server, 

Client, Professional, and Home edi¬ 
tions. For more information, go to the 
Condusiv website. 


Undelete 
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recovery of critical Oracle data through patented Virtual On-Demand 
Recovery technology. Net Vault FastRecover 4.5 enables users to take 
real-time snapshots of an Oracle database and safely store them in 
a NetVault FastRecover Server. In the event of a corruption or data 
loss, end users can access the Oracle application data within seconds 
after a restore is initiated. Using NetVault FastRecover 4.5’s built-in 
replication feature, Oracle data can also be sent over a WAN from one 
NetVault FastRecover server to another, delivering effective protection 
for remote and branch offices, and enabling companies to implement 
a cost-effective disaster recovery strategy. For more information, visit 
the Quest Software website. 



Micron Announces First 2.5" PCIe Enterprise SSD 

Micron Technology announced that it has developed a 2.5" enterprise 
solid-state disk (SSD) based on a PCIe interface. The solution com¬ 
bines a high-performance PCIe interface with a hot-swappable 2.5" 
form factor that creates new options for enterprise serv¬ 
er performance scalability and serviceability. Because 
the 2.5" form factor allows PCIe SSDs to be 
integrated into the front end of the 
server (like traditional data stor¬ 
age drives), customers can 
easily service the drive 
or scale performance, 
without ever power¬ 
ing down the server. 
The new solution was 
selected as a key storage 
device in Dell’s PowerEdge 
12th-generation servers. These 
servers use innovative, front-ac¬ 
cessible backplane designs that ac¬ 
commodate 2.5" SATA, SAS, and PCIe 
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devices, allowing customers to choose the appropriate combination 
of data storage and caching devices to optimize performance and 
storage to suit their needs. For more information, go to the Micron 
Technology website . ■ 


PAUL’S PICKS 


www.wmsuDersite.com 



SUMMARIES of in-depth product reviews on 
Paul Thurrott's SuperSite for Windows 




Windows 8 Consumer Preview 
PROS: Nearly feature-complete look at 
Microsoft's next OS; fun and colorful Metro 
apps; some useful desktop improvements 
CONS: Dueling Uls could be confusing for 
users; Metro makes more sense for touch 
devices, which are currently rare 
RATING: ★★★★☆ 
RECOMMENDATION: Windows 8 is the 
single biggest change that Microsoft has 
ever made to its flagship Windows OS, and 
yes, I'm including Windows 95 and NT. It 
has a brand new runtime engine, new user 
experience environment, new APIs and SDKs 
for developers, and a weird dual Ul that 
puts the old desktop on the PC right next 
to the new stuff. It's beautiful, bizarre, and, 
frankly, kind of a mess. If you're an IT pro 
worried about how this is going to affect 
your environment—well, you should be. 
Windows 8 positions Windows for an Apple 


iPad-like future of simpler, touch-based 
computing. It's superior—technically, and 
from a usability perspective—to Apple's 
Fisher Price-like offering. Where the iPad is 
just a big iPod Touch, a Windows 8 tablet has 
the opportunity to be a prettier device that's 
infinitely more manageable. 

CONTACT: Microsoft 

Full Review 

Windows Phone "Tango" 

PROS: Extends Windows Phone to higher- 
volume, lower-cost markets 
CONS: Confuses an already confusing 
product line in which carriers often ignore 
Microsoft's updates, leaving users stranded 
RATING: 

RECOMMENDATION: Microsoft has been 
tight-lipped about Tango, its code-named 
release—or more accurately, set of 



releases—that will extend the platform's 
reach into numerous new high-volume and 
low-cost markets, including China. Tango 
is a rejiggering of Windows Phone's ability 
to handle on-phone resources, especially 
RAM—the minimum is now 256MB on new 
low-end devices—but also such things as 
background processes. Developers will need 
to hand-tune their apps to work properly 
with new Tango-based phones, and users 
might find the occasional app in the Windows 
Phone Marketplace that simply won't work. 
For those with existing devices, Tango will 
be a more evolutionary update with few 
functional improvements—and, no, that 
won't impede your phone's ability to use its 
more full-featured resources—and bug fixes. 
Perhaps some carriers might even roll it out. 
CONTACT: Microsoft 

Full Review 
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Transend Migrator 10.5 



Russell 

Smith 


is an independent IT 
consultant specializing in 
systems management and 
security, and author of Least 
Privilege Security for 
Windows 7, Vista and XP 
(Packt). 


Email 

Twitter 



I n the past. I’ve had to migrate less-common email clients, such 
as Pegasus Mail and Eudora, to Microsoft Outlook. Outlook’s im¬ 
port/export functionality proved less than reliable, with random 
freezing and unhelpful error messages. Outlook IMAP support also 
left much to be desired, often hanging and always slow, making it an 
awkward migration solution. Transend Migrator is designed to move 
mail from legacy mail clients and servers to more commonly used 
systems reliably and with verbose logging so that it’s easy to trouble¬ 
shoot problems that might occur along the way. Although Migrator’s 
primary intended use is to move mail from legacy systems, there’s no 
reason why you can’t migrate to a legacy client or server if needed. 

On starting the application, you’re presented with a simple inter¬ 
face for single-user migrations, which Figure 1 shows. Although the 
interface is divided into E-Mail, Address Book, Calendar, and Task/To 
Do categories, all the necessary information entered for Email can be 
automatically copied so that a migration task can be launched with¬ 
out entering the same username, password, and path information in 
the other categories. 

During my testing, I used a combination of connection types, in¬ 
cluding IMAP4, MAPI, and PST with Outlook, Gmail, Windows Live 
Mail, Pegasus Mail, and Exchange Server. Migrator proved to be very 
reliable in maintaining the integrity of the data in the target and in 
providing verbose logging. 

Exchange/Outlook Systems 

Migrator supports Exchange Server 2003 and later (32-bit) and Outlook 
2003 and later (32-bit). The first thing that strikes you about the op¬ 
tions for migrating Exchange/Outlook-based email is that Migrator 
uses MAPI to pull and push data through Outlook or personal folder 
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Figure 1 

Migrating a single user 
in Transend Migrator 


store (PST) files (non-MAPI). You can’t make a direct connection to 
an Exchange server using remote procedure call (RPC); you can use 
only IMAP4. There’s an option to work with offline folder store (OST) 
hies as the data source if Outlook is configured in Exchange Cached 
mode. However, as Transend notes, OST hies are not a reliable source 
for data migration. 

There are a few prerequisites before you can migrate to or from 
Exchange/Outlook. The computer on which Migrator is installed 
must belong to the same domain as the Exchange server. The user 
performing the migration needs to have Receive-As permission on 
the mailbox database where the target email accounts are located. 
Outlook must also be installed on the same computer as Migrator and 
be the default mail client. 

The documentation for preparing an Exchange server for migration 
was disappointing. I wasn’t always able to determine what scenario 
the technical instructions were intended to match. It would be better 
if the Help hies and white papers were organized by migration sce¬ 
nario. I was also disappointed to hnd that instructions for working 
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with Office 365 weren’t available yet for Migrator 10.5. 
However, Migrator 10.5’s support for Exchange Web 
Services means that migrations to Office 365 will be faster 
and more reliable than the IMAP-based migrations used 
in Migrator 9.x. 

Other Messaging Systems 

Where Migrator comes into its own is support for a wide 
range of different messaging systems. In the list of source 
systems, you’ll find email clients such as Eudora, Pegasus 
Mail, and Thunderbird. Web mail is also supported, and 
I was able to connect to my Gmail account with no prob¬ 
lems. Although it’s not listed as an option in the drop¬ 
down menus, it’s possible to connect to Windows Live 
Mail (Hotmail) via IMAP. 

Advanced Features 

Migrator offers many advanced features. You can exclude 
certain folders from the source and migrate folders to an alternate 
destination on the target. You can do address translation, which is es¬ 
pecially useful for converting x.500 addresses to standard SMTP. You 
can migrate mail to an HTML or PDF format, which would be handy 
for creating searchable archives. Migrator also includes a separate ap¬ 
plication, Message Vault, specifically for archiving mail. 

But the most powerful feature of Migrator is the batch mode for 
moving multiple mailboxes simultaneously. Batch mode works by 
adding data to a table of generic predefined variable names ($Varl, 
$Var2, and so on). Data can be entered manually or loaded from a 
spreadsheet. Once the migration table is created, the variable names 
can be inserted as needed on the migration setup screen for a single 
user. Batch migrations can be scheduled using the GUI or the com¬ 
mand-line interface. ■ 
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Transend Migrator 10.5 


PROS: Comprehensive support and 
reliability for migrating mail from 
different messaging systems 

CONS: Documentation could be 
improved; no wizards for setting up batch 
migrations 

RATING: trvrtrtrU 

PRICE: $49 per user, plus optional $25 
per user for technical support; volume 
license packs available 

RECOMMENDATION: A good solution for 
migrating single users or entire organiza¬ 
tions from esoteric messaging systems to 
more common platforms. 

CONTACT: Transend • 650-324-5370 
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Acer Aspire S3 


S ince the introduction of the MacBook Air in early 2008, the mar¬ 
ket has been flooded with laptop models meant to replicate the 
experience provided by Apple’s flagship machine. Along these 
lines, Intel introduced the marketing term ultrabook, meant to define 
a class of higher-end laptops that are reduced in size and weight but 
without compromise of battery life or overall performance. The Acer 
Aspire S3 ultrabook that I recently tested is a member of this category 
of machines. 

The demo unit that Acer provided me with for the purpose of this 
review came equipped with an Intel Core i5 processor (1.6GHz) with 
4GB of RAM, a hybrid hard-disk solution, 13.3" Widescreen extended 
Graphics Array (WXGA) display, and Windows 7 Home Premium 64- 
bit. The hybrid hard-disk solution consisted of a 320GB magnetic 
disk and 20GB solid state disk (SSD). I spent three full days using the 
Aspire S3 as my primary work machine to see how well an IT pro 
would fare using such a machine. 

I was pleased that the machine proved capable at meeting my every¬ 
day workload. I was able to connect to my wireless LAN (WLAN) 
without any issues and loaded the machine with my usual gamut of 
applications, including Microsoft Office 2010, Google Chrome, and 
a plethora of utilities such as PuTTY and the Sysinternals Suite of 
tools. All of my applications performed well without any noticeable 
performance problems. Unlike many of my colleagues, I have no need 
to run a hypervisor on my laptop for demos or testing. If I did, it’s 
unlikely that this machine would be able to pass muster. However, for 
my daily use, its performance proved more than adequate. 

I was disappointed, however, that the machine included some 
preinstalled software that I would have otherwise chosen not to in¬ 
stall. The installed Bing toolbar, for example, was one of the first 
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applications that I removed. I won’t dispute the usefulness of such 
software, but most IT pros (myself included) prefer to start with as 
blank a slate as possible when configuring machines. This problem 
was highlighted by the inclusion of McAfee anti-malware software, 
which immediately nagged me to connect to the Internet and update it 
on my first boot of the laptop. I didn’t even have the chance to connect 
the laptop to my WLAN before this occurred. If this were my own ma¬ 
chine and not a review unit, I would’ve likely stopped at this point and 
wiped the machine completely so I could start from a clean slate. 

I was further disappointed to see a hybrid hard-disk solution in¬ 
stead of an SSD, but the laptop didn’t seem to suffer from it, with 
the exception of some extra heat and the accompanying hard disk 
noise. What did impact my day-to-day usage was the placement of 
the USB ports. The laptop’s two USB ports are located on the rear of 
the unit in the center where they were hard to get to. I was constantly 
reaching behind the machine to ensure that any USB disk or wireless 
WAN (WWAN) adapter I installed wasn’t being bent or otherwise 


Figure 1 

Acer Aspire S3 
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coming out of the port due to my movement of the ma¬ 
chine around my office during the day. There appears to 
be ample space on the left and right sides of the unit, so 
I can’t be sure why Acer didn’t include at least one USB 
port on either side. 

I was impressed with the three-cell battery, which pro¬ 
vided me with approximately four hours of continuous 
use. I didn’t alter my computer usage during testing and 
was often running multiple applications. I had the screen 
brightness set to approximately 50 percent, and Wi-Fi was 
always on. I also didn’t deter from using browser add¬ 
ins, such as Adobe Flash Player or Java. The battery life 
proved capable in all of these situations. 

I felt the display, keyboard, and trackpad were only 
adequate. I would’ve preferred a matte display over the 
glossy one Acer chose to use, but this is more a personal 
choice than a ding against the machine. The keyboard felt fine to 
type on, but I would’ve preferred if there were more contrast between 
the keyboard and the laptop itself. Both are a shade of platinum (see 
Figure 1), leaving little contrast, thereby making the keyboard harder 
to use in low-light situations. As for the trackpad, I initially had some 
trouble with it not registering clicks, but I was able to remedy this by 
turning off the “tap to click” feature and adjusting the sensitivity with 
a Control Panel applet. 

My only major complaint is that there isn’t anything about this 
laptop to get overly excited about. Having used and personally owned 
dozens of laptops over the past two decades, there isn’t anything that 
the Aspire S3 does to make me want to go out and buy the product 
immediately. That being said, overall Acer has done a good job with 
its first entry in the ultrabook category. Aspire S3 is a fine choice to 
put on your shopping list if you’re looking for a MacBook Air that’s 
not a MacBook Air. ■ 
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Acer Aspire S3 


PROS: Sleek, thin laptop with good per¬ 
formance for everyday workloads 

CONS: Hybrid hard-disk solution; no side 
USB ports 

RATING: 

PRICE: $900 for unit tested (prices vary 
based on features and hard disk size) 

RECOMMENDATION: The Acer Aspire 
S3 ultrabook is a solid addition to the 
burgeoning ultrabook market segment. 

CONTACT: Acer *408-533-7700 
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Viewfinity Privilege 
Management 
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H aving domain users be the local administrators of their own 
computers is a bad but common practice. To make matters 
worse, if the Domain Users group is a member of the local 
administrator group, the users also have administrative privileges on 
every computer in the domain. Administrators know that this is a se¬ 
curity risk, but on top of the daily fires that they have to extinguish, 
there often isn’t time to remedy this situation. 

If they had the time, these administrators could lock down users’ 
computers, then deploy any software that a user requests by using a 
Group Policy Object (GPO) or a deployment tool. And if a user need¬ 
ed to run a tool or legacy software that requires Local Administrator 
privileges, administrators could use a tool such as Process Monitor 
to relax (via a GPO) the appropriate registry or NTFS security per¬ 
missions. Deploying software and relaxing permissions when needed 
aren’t difficult tasks, but they can be time-consuming. In the end, 
many administrators just give up and grant users local administrator 
access to their machines so that they can move on to the next fire. 

Viewfinity Privilege Management takes the work out of discover¬ 
ing the permissions that each application needs to function correctly. 
It also gives you the option of letting users install software on their 
own, while you still maintain control—all from an easy-to-manage 
console. 

Viewfinity isn’t the first software company to come up with this 
type of solution. A few years ago, I reviewed a similar product in the 
article “ Bit9 Parity .” The products are similar, but Viewfinity adds a 
new twist. In addition to a locally administered tool (GPO Editor) that 
runs on your network. Privilege Management can also be implemented 
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using a Software as a Service (SaaS) model. Both the GPO Editor and 
SaaS editions of the product have their pros and cons. 

Test Network 

To test Privilege Management, I used a test network consisting of a 
Windows Server 2008 domain, a Windows XP client, and a Windows 7 
client. For testing the GPO Editor edition, I added a Server 2008 mem¬ 
ber server to host the software. 

Overview 

For the most part, the GPO Editor and SaaS editions of Privilege Man¬ 
agement function identically. They divide the applications that your 
users need to run into two groups: 

• Applications that are currently installed; these applications are 
managed with applied policies 

• Applications that your users will likely want to use in the future; 
these applications are managed with a feature named Policy 
Automation 

If users need to use a particular application or tool in their day- 
to-day activities, you can create a policy that allows its use. For ex¬ 
ample, in a locked-down computer environment, non-administrator 
users can’t run the Disk Defrag utility, change the power options, or 
change the date, time, or time zone. You can create a policy that lets 
them do these things. In addition, if there’s a legacy program that us¬ 
ers need but it requires Local Administrator privileges to run, you can 
configure a policy so that they’re allowed to run this program with 
escalated security privileges, while keeping the users out of the Local 
Administrator security group. 

This is a great start, for sure. But eventually you’ll run into the 
problem I mentioned previously—you simply don’t have time to re¬ 
search and write a policy for every single application that users might 
want to use. This is where Policy Automation comes in. 
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Policy Automation actively monitors the applications that your 
users attempt to use. They’re prompted by a dialog box that asks 
them to write a short justification for why they need access to a spe¬ 
cific tool or application. This request is then logged in the Privilege 
Management tool, where you can quickly write a new policy that al¬ 
lows them to use the software that they’ve requested. The new policy 
can be implemented right away or at a specific date and time. You 
can also set a policy to expire at a certain date and time. What makes 
Policy Automation extremely powerful is that the Viewfinity client 
agent sends all the data needed to create a policy for the requested 
application back to the management console. You simply right-click 
the event (e.g., a user attempted to set the date and time), choose 
Create Policy, and follow a wizard’s instructions. 

GPO Editor Edition 

If you would like to manage the back-end server yourself. Privilege 
Management comes in a standard executable that you install on your 
own server. Double-clicking VFGPOEditorSetup.exe takes care of the 
prerequisites, such as Microsoft .NET Framework 3.5 SP1 and Micro¬ 
soft Report Viewer 2010, during the installation. The entire adminis¬ 
trative console is built as an add-on to the Group Policy Management 
Console (GPMC), as Figure 1 shows. 

Each computer that you want to manage needs to have a client 
agent installed. The agent comes in an .msi hie, so installing it with 
a GPO, Microsoft System Center Configuration Manager (SCCM), or 
your favorite third-party deployment tool is a snap. 

One of the advantages of the GPO Editor edition is the close inte¬ 
gration with Group Policy and GPMC. As a result of this integration, 
you can easily target specific users and computers. 

Another advantage over the SaaS product is that you and you alone 
control the product. You don’t have to rely on an administrator in 
someone else’s data center (aka the cloud) to ensure that your users 
are able to run the software that they require. 
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Figure 1 

The administrative 
console in the GPO 
Editor edition 


I found the GPO Editor edition to be responsive and easy to use. 
I found only one disadvantage over the SaaS edition: slower policy 
updates. The SaaS edition has a very tight communication window 
with each Windows client, whereas the GPO Editor edition updates 
the policies for the clients during the standard GPO update cycle. I 
could speed this up by issuing the gpupdate /force command from the 
client, but it’s otherwise much slower than the SaaS edition. 

SaaS Edition 

The SaaS edition is a service that you access over the Internet. The 
only software that is installed locally is the client agent on each com¬ 
puter you want to manage and a web plug-in on the computer that 
you’ll use to manage the Privilege Management software. 

Like the agent for the GPO Editor edition, the agent for the SaaS 
edition comes in both 32- and 64-bit versions and can be installed on 
clients running XP SP3 or later. The client agents can be installed in 
one of three ways: 
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• Automated discovery of assets and agent deployment—After the 
agent is manually installed on one computer, this same agent soft¬ 
ware can discover and install the agent on the remaining comput¬ 
ers in your domain. 

• Manually install or install using a software deployment tool—The 
agent comes prepackaged in an .exe hie for manual installation 
and an .msi hie for deployment through a deployment tool. 

• Email agent installation package link—Users are emailed a link 
that they use to download the agent and install it themselves. 

I installed the agent manually on each client machine (as a local 
administrator) and was surprised to see the object almost immediate¬ 
ly show up in the online SaaS console. To test the software, I logged 
on to the client as a domain user that was not a local administrator. 
Just like with the GPO Editor edition, managing the applications that 
users request is a snap. The management of the computers them¬ 
selves is done through a web browser interface. Again, no server-side 
software is installed in your data center. 

The SaaS edition has both pros and cons, just like the GPO Editor 
edition. For starters, as with all SaaS solutions, you are not in con¬ 
trol of the data center components of the software. This was clearly 
evident during my testing when scheduled maintenance occurred 
for length of time over a weekend, interrupting service. 

I also noticed that the website can be slow. The web application 
hung a number of times during testing. If this happens when you’re 
creating policies, it can be frustrating. And I thought the SaaS interface 
wasn’t as intuitive as the on-site application, as a number of separate 
browser windows need to be open in order to use the application. 

One huge advantage that the SaaS edition has over the GPO Editor 
edition is the communication mechanism that it uses. Instead of hav¬ 
ing to open ports on the firewall to allow communication, all policies 
are transmitted via https (port 443), which is open on most firewalls. 
The SaaS edition was also much faster sending new policies to the 
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clients. Instead of waiting for the next GPO refresh cy¬ 
cle, the new policies are sent almost immediately—most 
times in under a minute. If you have a mobile sales force 
that still doesn’t understand what the VPN is used for, the 
SaaS edition may be your best bet. 

Windows 7 Versus XP 

By using the included Quick Start Guide, I was able to eas¬ 
ily set up a policy that allowed a non-administrator to run 
the built-in Disk Defrag utility. When I attempted to run 
software or access a restricted system tool (such as chang¬ 
ing the date and time), I found it simple to create a policy 
from the log of the event. 

I found the experience pleasurable for the Windows 7 
client, but the XP client was more of a challenge. The ap¬ 
plied policies worked fine. But the Policy Automation feature 
didn’t recognize many of the access attempts in XP that were 
recognized in Windows 7. According to Alex Shoykhet, vice 
president of product management at Viewfinity, this will be 
addressed in the next version. If you currently have XP ma¬ 
chines, I recommend that you leave them alone and imple¬ 
ment Privilege Management at the same time you roll out 
Windows 7 or Windows 8. Making the change at the same 
time you implement a shiny new OS might also help your 
users more easily accept the increased security. 

A Powerful Tool 

Letting users operate as local administrators of their computers is bad 
security practice. Viewfinity takes much of the work out of determining 
how to relax the appropriate permissions in a locked-down computer 
environment. Add to this feature set the choice of using the SaaS or GPO 
Editor edition and you have a powerful tool in your back pocket. ■ 
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PROS: Available in a local GPO Editor or 
SaaS edition; seamless integration with 
Windows 7; SaaS edition shines if you 
have a mobile workforce 

CONS: SaaS edition website can be slow 
at times; slower policy updates with GPO 
Editor edition compared with SaaS edi¬ 
tion; not all features work with XP, even 
though it's on the supported list 

RATING: 

PRICE: $20 to $40 per client (depending on 
edition); 25 percent of list price for 24 x 7 
support and maintenance (both editions); 
volume discounts available 

RECOMMENDATION: If you're in a 
Windows 7 shop and don't have time to 
properly set up your users' computers so 
that they can't destroy them, Viewfinity 
Privilege Management can do the hard 
work for you. 

CONTACT: Viewfinity • 800-455-2010 
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Samsung Galaxy SII 
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W hat a difference a few years makes. The first iPhone was 
introduced less than five years ago and ushered in the new 
era of mobile communications. Since then, dozens (if not 
hundreds) of other smartphones have followed in the iPhone’s wake, 
resulting in the situation we find ourselves in today: Apple’s iPhone 
and devices powered by Google’s Android are the dominant smart¬ 
phone options, with Research in Motion’s BlackBerry and Microsoft’s 
Windows Phone platforms vying for third place. 

Entering the fray is the Samsung Galaxy S II, a phone that was 
available in most of the world in mid-2011 and arrived on US shores 
in the fall of 2011. My review unit arrived running on T-Mobile’s 
speedy 4G network, which happened to provide a good coverage area 
around the Windows IT Pro editorial offices in Fort Collins, CO. I use 
an iPhone 4S as my daily work phone, and I tested the Galaxy S II by 
using many of the same tasks I use my iPhone for. 

The first thing I noticed about the Galaxy S II was its bright and clear 
4.3" Super Active-Matrix Organic Light-Emitting Diode (AMOLED) dis¬ 
play, as Figure 1 shows. The Galaxy S II is a noticeably bigger phone 
than the iPhone 4S—which only has a 3.5" screen—and the display 
takes up much more of the surface of the phone than the iPhone’s dis¬ 
play does. Despite being a larger phone with a bigger screen, the Galaxy 
S II weighs less, at only 116 grams (4.6 oz). By comparison, the iPhone 
4S feels denser and more solid, weighing in at 140 grams (4.9 oz). I pre¬ 
ferred the more solid feel of the iPhone but liked the larger screen size 
of the Galaxy S II. 

The Galaxy S II offers more potential storage space by virtue of 
accepting up to a 32GB microSD card. The review unit came with 
16GB of hardwired flash memory, so the ability to accept more 
storage in addition to that is a definite point in Samsung’s favor. 
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Samsung Galaxy S II 


This particular Galaxy was also running Google’s Android 2.3.6 
Gingerbread OS. 

All that extra storage can come in handy when you take advantage 
of the included 8 megapixel camera, which also offers an LED flash, 
autofocus, and the ability to record video in full 1080p HD resolu¬ 
tion. I took several dozen photos and several minutes of HD video 
for testing purposes. The camera performed well in both low-light 
and overexposed lighting conditions. The more advanced optics in 
the iPhone 4S might give it a slight edge here, but the Galaxy S II is 
clearly no slouch in the video department. The Galaxy S II also offers 
a forward-facing 2 megapixel front camera for making video chats 
and self-portraits. 

All of this capability is powered by a Qualcomm 1.5GHz dual-core 
Snapdragon S3 processor, which helps make the Galaxy S II one of 
the speedier Android phones I’ve tested. Applications open quickly, 
games run smoothly, and performance is generally comparable to 
other leading Android phones. As with all smartphones, using your 
device to play games and watch video can drain 
the battery quickly. After using the Galaxy S II 
for several weeks, I found that it held a charge 
longer than my iPhone 4S using similar apps 
and roughly comparable use cases. Comparing 
battery life between two different phones that 
sport different processors, screen configura¬ 
tions, and other internal differences is never 
an exact science, but in my daily, non-scientif- 
ic use I found that the Galaxy S II ended most 
days with more juice remaining. Call quality 
was generally as good as my iPhone 4S (which 
runs on Verizon), but web browsing and app 
downloads were much faster when I was away 
from a Wi-Fi network, thanks to T-Mobile’s 
speedy 4G network. 



Figure 1 

Samsung Galaxy S Its 
crystal-clear 4.3" 
AMOLED display 
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Samsung Galaxy SII 


PROS: Large 4.3" screen size; light¬ 
weight; long battery life; good overall 
performance; one of the top Android 
smartphones available 

CONS: Saddled with a fair amount of 
semi-useful apps and bloatware 

RATING: ixtrUtrk 

PRICE: $229.99 (price doesn't include 
cost of wireless service) 

RECOMMENDATION: Samsung has 
emerged as one of the leading Android 
smartphone manufacturers, and the 
Galaxy SII is one of the best smartphones 
available. The AMOLED screen is clear and 
bright, the build guality is first-rate, and 
the dual-core processor is up to any task 
you can throw at it. 

CONTACT: Samsung • 800-726-7864 


With most IT organizations now supporting smart¬ 
phones from multiple manufacturers, it’s often helpful to 
know what software and services each phone provides 
to employees. Many carriers place their own mix of apps 
and software on the devices on their networks, and the 
T-Mobile Galaxy S II is no different. It’s not entirely fair 
to single out T-Mobile for this practice of installing their 
own assortment of bloatware on a device, but I found that 
the included T-Mobile bonus apps mainly cluttered up my 
display. It was simple enough to remove them, but are 
Android phones the new bloatware vehicle of choice? I 
sincerely hope not. 

After spending a few weeks with the Galaxy S II, I’d 
definitely recommend it as a leading Android smart¬ 
phone. It can hold its head high in the company of oth¬ 
er Android standouts like the Motorola Droid Razr and 
Samsung Galaxy Nexus. Although I’m not ready to ditch 
my iPhone 4S, the Galaxy S II did exceed the iPhone in 
several areas, including its 4G speed, larger screen, lighter 
weight, and longer battery life. If you’re in the market for 
a good Android-powered smartphone, you can’t go wrong 
with the Galaxy S II. ■ 
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Exchange Server 
e-Discovery 

Products go beyond the basic e-discovery capabilities 


E -discovery products let you search your messaging infrastruc¬ 
ture for messages that contain specific keywords. E-discovery 
requirements are usually driven by a legal or compliance pro¬ 
cess. When a legal request comes in that requires the organization to 
provide all messages that contain a specific keyword or phrase, the 
e-discovery administrator is the one who needs to find all those mes¬ 
sages and provide them to the requesting party. 

In many firms, e-discovery isn’t handled by people whose primary 
responsibility is managing the messaging infrastructure. There’s a 
growing number of professionals whose expertise encompasses both 
the legal and messaging administration professions. This means that 
a good e-discovery product needs to be user-friendly and not require 
a deep understanding of how to construct regular expressions. 

Exchange Server 2010 includes basic e-discovery functionality out 
of the box. To access this functionality, you use the Discovery area 
of the Exchange Control Panel (ECP), as Figure 1 shows. The ECP is 
available through a web interface. 

Discovery searches in Exchange 2010 let you perform multi-mailbox 
searches on addresses in the To and From fields and date ranges. You 
can search specific mailboxes or all mailboxes in the organization, 
including archive mailboxes. You can use query-based criteria for se¬ 
lecting mailboxes, which can be helpful in organizations with tens of 
thousands of mailboxes. Exchange 2010 searches can use the AND, 
OR, and NOT operators. A user who has been delegated the Discovery 
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Figure 1 

The Discovery area 
in ECP 



Management role can use the ECP to search all message types, includ¬ 
ing email, meetings, tasks, notes, documents, journals, contacts, and 
IM conversations. Multi-mailbox search requires an Enterprise CAL. 
Another Enterprise CAL feature is litigation hold, which stops mes¬ 
sages from being deleted directly or indirectly, even when users hard- 
delete them from their mailboxes. 

In this review, I look at two products that you can use for e-discov¬ 
ery that go beyond the basic functionality offered in Exchange 2010. 
Those products are Sherpa Software’s Discovery Attender and Quest 
Software’s Archive Manager. 

Discovery Attender 

Discovery Attender lets you search Exchange mailboxes, including 
archive mailboxes, public folders, and PST files. You can also use 
Discovery Attender to search Microsoft Office documents, NSF files 
created by Lotus Notes, and PDF files stored on accessible file shares 
and SharePoint servers. 
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You can deploy Discovery Attender on a workstation or a separate 
server. Sherpa Software recommends that you not run it on a comput¬ 
er used for mission critical tasks because the search process is proces¬ 
sor intensive. Figure 2 shows the Discovery Attender interface. 

With Discovery Attender, you can create complex and refined 
searches. This includes the ability to use wordlists. A keyword logic 
tree utility lets you examine the syntactic logic of your keywords to 
ensure that execution occurs as intended. You can save complex or 
common searches as templates, which you can easily modify for new 
circumstances. You can also perform trial searches against known 
data to determine whether the search parameters will return the types 
of results in which you’re interested before you query your organiza¬ 
tion’s entire Exchange infrastructure. 

Discovery Attender results are returned to a local store, which you 
can then export to PST format. This ensures that messages that were 
returned are still available, even if they are later hard-deleted from the 
Exchange messaging infrastructure. Although regular users should be 
unable to delete messages placed on litigation hold in a properly con¬ 
figured Exchange infrastructure, it might be necessary to run discov¬ 
ery searches against Exchange administrators who have permission 
to bypass this setting. 



Figure 2 

Discovery Attender 
interface 
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Discovery Attender is powerful, but there’s a steep learning 
curve when it comes to being able to fully leverage the product’s 

capabilities. Although e-discovery 
administrators can always read the 
documentation about all the query 
builder’s options, adding an Intelli- 
Sense-like capability would ensure 
that they’re aware of the product’s 
search capabilities. Discovery At¬ 
tender is a comprehensive tool, but 
it will take most e-discovery admin¬ 
istrators some time to be able to fully 
utilize all of its functionality. 


Discovery Attender 


PROS: Can search live data as well as PST files 

CONS: Many users might not become aware of the full 
capabilities of the product 

RATING: ickickix 

PRICE: $2,450 for first installation, $1,500 for each additional installation 

RECOMMENDATION: Discovery Attender is a great product if you need to 
search both messages stored in Exchange and users'PST files. 

CONTACT: Sherpa Software • 800-255-5155 or 412-206-0005 


Archive Manager 

Archive Manager is a retention and discovery product. It captures, in¬ 
dexes, and stores messaging data in a repository. Messages are moved 
to the repository as soon as they are processed by the messaging serv¬ 
er. This repository also serves as a message backup. You configure 
the repository so that your organization complies with appropriate 
retention requirements. You can grant access to users so that they can 
perform e-discovery searches against the contents of this repository. 
Archive Manager doesn’t have a direct litigation hold function, but 
end users are unable to directly modify the contents of the Archive 
Manager store. 

E-discovery administrators use a web interface, shown in Figure 3, 
to access the Archive Manager repository. This interface supports the 
same search terms as the Exchange 2010 Discovery search but has 
the advantage of running that search against offline data, minimizing 
the impact on the messaging infrastructure. You can use the same 
interface to allow end users to search their mail archive. Archive 
Manager’s sophisticated permissions model ensures that the scope of 
discovery searches can be limited when necessary so that only users 
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with appropriate permissions can perform searches against other us¬ 
ers’ mailboxes. Archive Manager includes a PST import tool that al¬ 
lows you to add PST hies to the existing archive. Once imported, the 
e-discovery administrator can search the contents of the PST hie. 

Archive Manager allows saved searches to be stored as RSS-com- 
pliant data, a form of updatable data to which a client can subscribe. 
This means that you can conhgure Archive Manager so that an RSS 
reader is able to access the output of scheduled searches and provide 
the e-discovery administrator with an alert if any new search results 
come back. 

Although it’s listed as one of its features, Archive Manager is not 
primarily an e-discovery product. It’s possible to save searches, but 
the web interface limits the complexity of those searches. While most 
organizations will hnd this functionality adequate, the e-discovery 
functionality isn’t as extensive as that of Discovery Attendee 

I found setting up Archive Manager fiddly. I had to check the docu¬ 
mentation several times to get the product working correctly, and 
the instructional video available on Quest Software’s website is for 


Figure 3 

Archive Manager web 
interface 
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RECOMMENDATION: Archive Manager is a good solution for organizations 
that need both a retention and e-discovery solution. 


PROS: Comprehensive enterprise class email archiving, retention, and 
discovery functionality 


CONS: Strong focus on archiving; might not be suitable for organizations 
looking for a straight e-discovery solution; setup could benefit from a 
prerequisite checker 


RATING: 


PRICE: $40 per managed mailbox 


a previous version of the product. Fi¬ 
nal installation required modifying the 
properties of an IIS 7.5 configuration 
hie before everything ended up work¬ 
ing as it should. The Archive Manager 
installation routine could do with a 
comprehensive prerequisite checker. 
Plus, several manual steps could be 
automated to simplify the deployment 
process. 


CONTACT: Quest Software • 800-306-9329 or 949-754-8000 


Editor's Choice 

Many products in the e-discovery 
space primarily function as archive 


products because retention is closely tied with discovery. With Ex¬ 
change 2010’s powerful retention functionality, many organizations 
are finding retention-specific products less necessary than they did 
with previous versions of Exchange. Discovery Attender’s pinpoint 
focus on discovery and its ability to search live data and PST hies 
make it this editor’s choice. If you do purchase the product, just 
make sure that the e-discovery administrator takes the training so 
that he or she is aware of everything that the product can do. ■ 
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Hardware Firewall 
Appliances for SMBs 

Features to consider when looking for a Next Generation Firewall 


I n the world of hardware firewall appliances, things have changed 
drastically in the past few years. “There’s been a fundamental 
shift in what brew alls are expected to do,” said Dimitri Ara, 
product-line manager for network security at SonicWALL. “Firewalls 
used to only focus on building a perimeter around the network by 
blocking ports. Now most threats come through legitimate access 
points, like [HTTP] port 80, by mixing malware in with legitimate 
web traffic.” 

Fred Koast, the head of product marketing at Check Point Software, 
agrees with Ara. “The days of firewalls just enforcing ports and ac¬ 
cess rules are long gone,” Koast said. “Today’s firewalls have taken 
on much greater functionality in order to remain effective, and have 
started to incorporate features from other security devices and intro¬ 
duce new ones.” 

Gartner classifies this new generation of firewalls as Next Genera¬ 
tion Firewalls (NGFWsJ. So, what are the new features that IT pros 
should be mindful of when shopping for an NGFW? Although there 
isn’t a standard set of NGFW criteria that Gartner and firewall ven¬ 
dors have adopted, there are some commonly accepted features that 
NGFWs generally should include. I’ll discuss a few of these features. 
You’ll find others listed in the Buyer’s Guide table. 
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Integrated Intrusion Prevention System 

Traditionally, intrusion prevention systems (IPSsJ have been separate 
devices from the firewall, but recent trends have seen more firewalls 
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integrating IPS capabilities. This integration reduces the cost and com¬ 
plexity of managing two separate devices. It also makes the firewall more 
effective because the IPS helps the firewall determine what traffic should 
be allowed. In an example provided by Gartner analysts Greg Pescatore 
and John Young, good integration between an IPS and a firewall would 
allow for such capabilities as “providing a suggested firewall rule to block 
an address that is continually loading the IPS with bad traffic.” 

Identity Support 

Another key NGFW feature is the ability to use an individual user’s iden¬ 
tity to set more granular security rules. “The ability to leverage identity 
has big security benefits,” said Koast. “You can tie access to a user 
rather than the devices he uses by leveraging existing identity services 
like Active Directory.” Enhanced capabilities here allow administrators 
to set specific rules for specific groups of people, such as blocking every¬ 
one but the marketing department from posting on Facebook. 

Application Awareness 

Building on the ability to restrict or allow access based on group mem¬ 
bership, another NGFW feature gives you the ability to target specific 
applications with more precise control. For example, you might want 
to allow people to use Facebook for posting images and communicat¬ 
ing with customers, but not for instant messaging friends or playing 
Facebook games on company time. Many NGFWs let you create poli¬ 
cies that allow employees to access an application but prevent them 
from using specific application features that violate HR policy. 

Other Considerations 

Klaus Gheri, the vice president of European product management for 
Barracuda Networks, suggests that IT professionals look beyond the 
NGFW feature set and make sure that the firewall they’re selecting is 
right for their own use case. Gheri had the following additional sug¬ 
gestions for prospective firewall purchasers: 
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• Have the right feature set. Gheri stresses that IT pros should make 
sure the firewall they choose fits the unique needs and require¬ 
ments of their specific IT environment. “If you have a small busi¬ 
ness with very limited external traffic, you may not need huge 
throughput numbers. Or you may need integrated antivirus and 
anti-malware. Just be sure to get the features you need.” 

• Don’t under- or over-size your firewall. A firewall can be a big 
investment, and picking the right size, form factor, and throughput 
performance are important points to consider. Features such as 
deep packet inspection, packet visualization, and other capabilities 
can slow traffic through your firewall and result in unhappy users. 

• Consider manageability and usability. “You also need to look at 
how easy the firewall is to install, manage, and maintain,” Gheri 
said. “Some of these factors are soft costs that can really make 

a difference. How hard is it to upgrade or replace the firewall if 
something goes wrong? How good and how usable are the diag¬ 
nostic tools and technical support options?” 

• Look for additional value. Finally, Gheri suggests that firewall 
shoppers look for additional value beyond rigid feature sets. 
Companies with more rigorous auditing and compliance demands 
might need to look for products that focus more on those aspects, 
while smaller companies might favor ease of use and manageabil¬ 
ity over other features. 

Regardless of which firewall you choose, you would be wise to 
consider the words of Windows IT Pro author Tony Howlett, who is 
also CTO of the security consulting firm Network Security Services. I 
interviewed Tony in 2008, and the comments he made then are still 
relevant: “You should treat [your firewall appliance] like any other 
OS, perhaps even more so because it guards the entrance to your net¬ 
work. Be sure to regularly review [installed firewall appliances] for 
required updates and maintenance.” ■ 
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Company 


Barracuda Networks 


Check Point Software Technologies 


Cisco 


Fortinet 



Product 

Barracuda NG Firewall 301 

Check Point 4200 Security 
Appliance 

ASA 5512-X Midrange 
Security Appliance 

FortiGate-300C 

Price 

$3,499+ $599 annual 

$4,900 

$3,995 

$4,995 

Deep packet inspection 

Proxy, Stream 

Stream 

Stream 

Proxy, Stream 

Integrated intrusion prevention 
system (IPS) 

Yes 

Yes 

No* 

Yes 

Integrated intrusion detection 
system (IDS) 

Yes 

Yes 

No* 

Yes 

IPv6 support 

Yes 

Yes 

No 

Yes 

Remote clients 

Yes 

Yes 

Yes 

Yes 

Application aware 

Yes 

Yes 

Yes 

Yes 

Block by user identity 

Yes 

Yes 

Yes 

Yes 

Stateful packet filtering 

Yes 

Yes 

Yes 

Yes 

Logs allowed packets in real time 

Yes 

Yes 

Yes 

Yes 

Logs dropped packets in real time 

Yes 

Yes 

Yes 

Yes 

Report output formats (e.g., HTML, 
PDF, Word, XML) 

Excel 

HTML, PDF 

Comma-separated value 
(CSV), PDF 

HTML, PDF, Word 

International Computer Security 
Association (ICSA) certified 

No 

Yes 

No 

Yes 

Packet visualization 

Yes 

Yes 

Yes 

Yes 

DHCP and DNS services 

Both 

DHCP 

Both 

Both 

Management interfaces 

Command-line interface (CLI), 
PowerSheli, Secure Shell (SSH) 

CLI, HTTP Secure (HTTPS), SSH, 
Windows GUI 

CLI, HTTP, HTTPS, SSH 

CLI, HTTP, HTTPS, 
SSH, Telnet 


Editor’s Note: Some vendors you might expect to see in this Buyer's Guide said they didn't have a product that 
exactly matched the criteria or didn't respond to our requests for information about their products. 
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* Available plug-in modules provide IPS and IDS functionality 


WWW.WINDOWSITPRO.COM 


Windows IT Pro / May 2012 137 









































































Buyer's Guide 


r 


Company 

Sophos 

WatchGuard Technoloaies 

Product 

Astaro Security 

Gateway 220 

WatchGuard 

XTM 810 

Price 

$4,145 

$8,499 + LiveSecurity subscription 

Deep packet inspection 

Proxy, Stream 

Proxy 

Integrated intrusion prevention 
system (IPS) 

Yes 

Yes 

Integrated intrusion detection 
system (IDS) 

Yes 

Yes 

IPv6 support 

Yes 

Yes 

Remote clients 

Yes 

Yes 

Application aware 

Yes 

Yes 

Block by user identity 

Yes 

Yes 

Stateful packet filtering 

Yes 

Yes 

Logs allowed packets in real time 

Yes 

Yes 

Logs dropped packets in real time 

Yes 

Yes 

Report output formats (e.g., HTML, 
PDF, Word, XML) 

CSV, HTML, PDF 

HTML, PDF, Word, XML 

International Computer Security 
Association (ICSA) certified 

Yes 

Yes 

Packet visualization 

No 

Yes 

DHCP and DNS services 

Both 

Both 

Management interfaces 

HTTPS, SSH 

CLI, HTTP, HTTPS 
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Insights from the 

Industry 

Cloud Computing Hiring 
Demand Surges 

The demand for IT professionals with cloud computing skills and expe¬ 
rience seems to be surging, with several recent reports highlighting in¬ 
creasing employment opportunities for cloud-sawy job seekers. A recent 
study by Wanted Analytics states that more than 5,000 cloud computing- 
related job advertisements were posted in the U.S. in February 2012, an 
increase of 92 percent over February 2011 and a 400-percent increase 
over February 2010. Here’s more detail from Wanted Analytics, including 
areas in which the demand for cloud skills was the highest: 

Cloud computing skills are most frequently advertised for jobs 
located in the San Jose metropolitan area. During February, 
more than 900 job ads in San Jose included requirements for 
cloud computing, growing 144% over the past year. Other 
metro areas with high demand for cloud skills were Seattle, 
Washington (DC), San Francisco, and New York. While em¬ 
ployers in San Jose placed the highest number of job ads for this 
talent pool, the highest year-over-year growth was seen nearby 
in San Francisco at more than 150%. 

Performing a keyword trends search for “Cloud Computing” on 
SimplyHired.com results in the graph that Figure 1 shows (from 
SimplyHired job trends). 
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Figure 1 

Keyword trends 
search results for 
"Cloud Computing" on 
SimplyHired.com 
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In addition, performing the same keyword search on Indeed.com 
results in a similar growth curve (from Indeed.com job trends !; see 
Figure 2. It’s important to note that this surge in job postings isn’t 
entirely focused on IT careers; demand for cloud skills has expanded 
into sales, marketing, customer support, and other disciplines and 
job functions as well. 


Figure 2 

Keyword trends 
search results for 
"Cloud Computing" on 
lndeed.com 
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I’ve blogged a bit about cloud computing and IT cloud career 
trends in the past, and I think the same argument still applies: Cloud 
computing is a transformative technology that will benefit IT pros 
who can serve as internal cloud strategists that can help their or¬ 
ganizations move IT services to the cloud when it makes business 
and financial sense. Every business and organization has different IT 
needs and requirements, so the cloud will never be a panacea for all 
IT challenges, and on-premises and private cloud solutions might be 
a better solution for many. (Quick aside: My colleague Sean Deuby 
has an excellent take on the subject in his article on cloud computing 
career development .) 

One way to bulk up your resume with some additional cloud 
mojo is to enroll in and pass some of the cloud security training pro¬ 
grams offered by the Cloud Security Alliance (CSA). You can obtain a 
Certificate of Cloud Security Knowledge or enroll in dozens of other 
training classes offered by the CSA. 

—Jeff James 
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Smartphone Security & 
Nomophobia 

I recently learned a new word: nomophobia. It’s a made-up word, 
but then all words were made up at some point. When I first saw it, 
I thought it might be the fear of baseball players with names such as 
Hideo Nomo or Nomar Garciaparra. Instead, it’s defined as a fear of 
being out of mobile phone contact—“no-mobile-phone phobia.” As a 
self-professed smartphone addict who’s already grown quite attached 
to my Droid Razr Maxx , I had to stop and consider this word. 

I saw this term in the results of a study sponsored by security 
vendor SecurEnvoy . According to this survey of 1,000 people in the 
United Kingdom, 66 percent admitted to suffering from nomophobia. 
Younger age groups typically showed higher rates of nomophobia. 
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which is probably to be expected since these are the individuals 
that have grown up with mobile devices practically grafted to their 
hands like a natural part of the appendage. In a similar study in 2008, 
53 percent of respondents suffered from nomophobia. The increase 
seems to be consistent with our growing dependence on our mobile 
devices. 

In a study sponsored by a security vendor, naturally they looked at 
how people secure their devices as well and found that 46 percent re¬ 
ported using no security of any kind—no access code, no encryption. 
At the high end for secure devices, a mere 3 percent of respondents 
reported using 2-factor authentication. (Personally, I suspect that 
those 3 percent all work in the computer security held or are perhaps 
the nefarious type of people we’re protecting our devices against.) 

Having an access password for your smartphone can be a bit of a 
bother, sure. On the other hand, isn’t it more of a bother if someone 
finds that unprotected phone you lost and calls their best friend in 
Iceland before you notice it’s gone, sticking you with the bill? Let’s 
not even worry about what other data—passwords, credit card num¬ 
bers—you might have stored access to in your phone’s browser and 
apps. Putting in a little 4-digit PIN starts to seem a lot less onerous, 
if you ask me. 

I don’t think I’m a nomophobe. (And by the way, when this term 
was coined relating to mobile phones in 2008, someone should have 
done a little checking; it already had a definition as “a fear of or 
disdain for laws,” but that’s not nearly as interesting, right?) I don’t 
think I fear being without my smartphone. But then, if I always keep 
it with me, I guess I won’t have to find out. Ah, spoken like a true 

addict. ■ 

—B. K. Winstead 

InstantDoc ID 142296 
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From Campaign 
Gaffe to Meeting- 

Room Laugh 


Product of the Month 



In the wake of Mitt Romney’s Etch A Sketch gaffe on 
the campaign trail, we got a kick out of this new iPad 
case from Hea dcase . You can be the “coolest kid in the 
conference room” with this protective 
case that makes your iPad look like the 
famous childhood toy. This is a fully 
functional, protective case made of 
impact-resistant ABS plastic, creat¬ 
ed by Ohio Art in the same factory 
used to make real Etch A Sketch 
toys. There’s even an Etch A 
Sketch app so that you can use 
your iPad as a $900 kid gadget! 
The case has the added benefit 
of disguising your computing de¬ 
vice from potential thieves. 
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Figure 1 : Could've fooled me! 


Outlook Express 


▲ 


There was an error opening this message. 
An error has occurred. 


OK 


Figure 2: One error or two? 



Figure 3: Clearly 


USER MOMENT 
OF THE MONTH 

At my company, we recently 
rolled out a new email solution 
to our 300 onsite users. The day 
before the scheduled install, 
we sent out a PDF containing 
screenshots of the upgrade pro¬ 
cess so that users would know 
what to expect. A few days after 
the installation, I got a phone 
call from a user complaining 
that the installation had been 
stuck on the Installation Prog¬ 
ress screen for days. Even over 
the phone, I knew that the user 
had simply left the PDF hie 
open on his screen and was 
just afraid of clicking anything. 
At his desk, I simply closed the 
PDF hie and said, “OK, it’s fin¬ 
ished!” 

—Tom Deeth 


Send us your funny screenshots, oddball product news, 
and hilarious end-user stories. If we use your submission, 
you'll receive a Windows IT Pro Rubik's Cube. 


ISI Submit 
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